Sqli labs level 1

A record article written hastily

Concept

SQL Injection is to splice malicious code into normal database queries , Cause database information leakage and other hazards .

I think

To understand SQL Inject , Need a little knowledge of Network Planning , Better know Web The whole process of development , What technologies are used in the middle , Why do you need this technology . Of course , You first have to understand databases and SQL Inquire about , And programming language and SQL The combination of languages （ Recommend a Book 《 Introduction to Database System 》）. With these foundations ,SQL Injection will naturally understand .

Customs clearance ideas

Input id, Login normal

Try closing statement

Single quote error , It is speculated that the backend query statement is ：

select * from table where id = ’ input ’

adopt order by enumeration , The number of fields is 3

Because there is a lot of echo information , Priority joint injection

It can be seen from the above figure , The first 2、 The first 3 Fields are echo information , Therefore, it can be constructed payload, Start injecting

Library name ：

Table name ：
http://127.0.0.1/sqli-labs/Less-1/?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security’ --+

Field name ：

Field contents ：
union select 1,2,group_concat(users,0x7e,password) from users --+

I've read several tutorials and the records when doing questions

1、 Different input id, There are different echo results , Guess backstage sql Statement for ：select * from table where id= input;
2、 Single quote test , Report errors , Speculation backstage sql Statement for ：select * from table where id = ‘input’;
3、 Construction statement , Single quote closure ,order by 4 error ---->3 Column fields ,select 1,2,3,–> Echo location ;
4、 Joint injection ： union select 1,2,（ Construct statements to query information ）–+

1. Look for loopholes
2. Guess the number of fields
3. Get the database name
4. Look up the table
5. Check the field name and field value