当前位置：网站首页>Sqllab 1-6 exercise

Sqllab 1-6 exercise

2022-07-05 13:54:00 【Cwxh0125】

Preface

What is? sql Inject ？

Attackers construct different sql Statement to implement the operation of the database

Two keys ： User controlled parameters Parameters into the database query

The basic flow

Determine the injection point

Determine the number of fields

Judge the echo point

Search for relevant content Judge database name ----> Judgment shows that ----> Judge the listing -----> Judgment data

build

Copy files to D:\phpstudy_pro\WWW

Create a website Set the root directory to this file Be careful php The version needs to be 5.4.45

thus Completion of construction

less-1 GET - Error based - Single quotes - String

1. Determine the injection point

According to the normal explain 1=2 Not implemented

Try closing with quotation marks

success View source code Indeed, it was quoted

So there are quotation marks sql Inject

2. Determine the number of fields

Use order by 1 2 3..... Try

4 When it doesn't exist therefore The number of fields is 3

3. Judge the echo point

Using federated queries Because the number of fields is 3 therefore union select 1,2,3

Why is the echo point not displayed ？？？

Because at this time Show id=1 The interface of the system Can be id Change to a nonexistent number or a larger number

You can see Echo point 2 3

4. Search for relevant content

Query the database Use database（）

The query table name 1. Use limit Query one by one

2. Use group_concat However, if there are too many table names, the display may be incomplete

Look up the list name

Query column names in various tables

In a users In the table of We found password Column

Check data

use group_concat（） Check separately id Corresponding username and password

2.less-2 GET - Error based - Intiger based

1. Determine the injection point

You can see 1=2 Directly executed

2. Determine the number of fields

3. Judge the echo point

4. Query data

Library name

Table name

Name

data

less-3 GET - Error based - Single quotes with twist string

1. Determine the injection point

Try to arrange and combine And view the source code

2. Determine the number of fields

3. Judge the echo point

4. Judgment data

Library name . Table name . The list is the same as the first two questions

Query data

less-4 GET - Error based - Single quotes with twist string

1. Determine the injection point

Combined with source code analysis

2. Determine the number of fields

3. Judge the echo point

4. Inquire about

less-5

1. Determine the injection point

Close with quotation marks

2. Determine the number of fields

The number of fields is 3

3. Judge the echo point

No echo point found Blind injection is required

Blind injection is a kind of injection , It refers to guessing the contents of the data without knowing the return value of the database , The implementation of SQL Inject . Blind annotation is generally divided into Boolean blind annotation, time-based blind annotation and error reporting blind annotation .

Boolean type ： The page only returns True and False Two types of pages . Use the page to return different , Guess the data one by one

Time type ： Judging by the sleeping time of the page

adopt sleep（） Function test , adopt if（） and sleep（） Jointly guess the data one by one

If the current database of the current query ascii(substr(database()),1,1) Of the first character of ASCII Code greater than 100,ture A dead sleep 10 second ,FALSE A dead sleep 4 second
Link to the original text ：https://blog.csdn.net/weixin_40709439/article/details/81355856

Wrong type ： No normal output bit , The required data is output and displayed through error reporting