Sqli-labs (iii)

Five-off: This is the focus of the Joint query injection vulnerability, but the page will not display the query information, but there will be error messages displayed on the page

This is a double query injection, in fact, with the error injection and blind can be injected, but I think this double query injection is still very interesting, so we still use double query injection

Of the process to go.

Https://www.2cto.com/article/201303/192718.html

Here is an article is very good, I will not repeat his words, there is a very important: the simple word principle is that when an aggregate function, such as the Count function, if the use of the group statement will be a part of the query in the wrong form of display.

The first step: still use order by to determine the number of columns in the table

Part II: Input

Id=1 '%20union%20select%20count (*), Concat ((Select%20user ()), Floor (rand ()))%20as%20a,count (*)%20from% 20information_schema.schemata%20group%20by%20a%23

Relatively long, not anxious, slowly explained: The subject remains id=1 ' union select Information_schema.schemata from the #

It's just that the three-to-one is replaced by the aggregation function, and then added a group by, as the reason is the very important sentence we mentioned above (the simple word principle is that researchers found that when in an aggregation function, For example, if you use a grouping statement after the Count function, the part of the query is displayed in an incorrect form. ）

Here's A is an alias we give to Concat ((Select%20user ()), Floor (rand ())) (using AS)

Rand () takes a random value of 0 to 1, floor () rounding, which uses concat to cobble together the results of a subquery (select User ()) with 0 or 1 to make up xxx0 or xxx1, so the result is changed. The reason for doing this is to let the latter be grouped (that is, you can use GROUP by).

Now that you know the meaning of the whole sentence, you can do the following, just change the subquery to another query operation.

Step three: Query out all the database names

http://localhost/sqli-labs-master/Less-5/
? id=1 '%20union%20select%20count (*), concat ((select%20schema_name%20from%20information_schema.schemata%20limit% 201,1), Floor (rand ())%20as%20a,count (*)%20from%20information_schema.schemata%20group%20by%20a%23

It should be noted that the sub-query can not use Group_concat, or will not be error, can only use limit to a row of the query

Subsequent query table names, field names, and data content steps I'm not going to do it, just like in the front.

The six-off:

It's the same as the fifth, except the single quotation marks are replaced by double quotes.

Sqli-labs (iii)