Less-11
Double injection (from the station b Gangster video https://www.bilibili.com/video/av77851975?t=26&p=7 )
1. First, just write a little and then directly capture
We can see the error
This time we add a single quotation mark, and then analyze the background was an error statement
We can see only see the passwd syntax problems have not seen uname have given us original intention was to add a single quote, by uname have to look at the syntax error
So add a double quote and see
This time the error came out backstage
This time trying to make him not being given direct admin '# close single quote
You can not see the error
Then order by the number of test columns (dichotomy)
Finally measured to be 2
Then union select joint inquiry
Can be found not only see the contents of the display there is no error, then we have no way to query the data we want to get through the echo data
So we have to get a new method! !
The first step was being given back to our place
Since the idea is being given to him by exposure to some of the syntax error message that can not go through it exposed sensitive information
And that's the method can double injection (ie injection which will use two select)
floor (rand () * 2) This means that the floor takes a random value between 0 and 1 bit which is rounded, the purpose is to duplicate components
count (1) is the number of statistics rows
means group by group, all columns are grouped according to attributes
For example (the following meaning to a database of all statistics for each mysql database, there are several tables, group by table_schema the meaning according table_schema group)
(Count (1) is a statistical number of rows)
Paint demonstrate its principles
First create a temporary table queries one by one, (suggested here to see the video)
Why is this result?
When inside a mysql table which appeared the same data two times, you will be prompted this error is called duplicate entries (because the components conflict)
This time we use the concat
When I can see the version information for this component adding, component conflicts, mysql table on the error, while the value of this content to pop out
Then we change the version () changed database (), the database came out
To select a good double
Can group _concat () but there group _concat () does not work so they limit line to line (a single symbol talked about in post injection before this limit)
The first table may burst emails
limit 4, 1 would not burst there are three tables described
Go burst fields
Value again burst fields
Go look at the field of the users table id