SQLI Labs Series-less-1 detailed article

Source: Internet
Author: User
Tags mysql injection sql injection sql injection attack

To say that SQL injection learning, the number of online shooting range, is Sqli labs this series is very good, the level reached more than 60 off, I also played a few off, a very good practice of SQL injection of the source code.

I was ready to wait for me from the beginning. After summing up some of the principles, I started to do this, after all, this involves the SQL injection knowledge is very full, I posted a: Sqli Labs series

Yes, and I have this series of the head of the figure, that figure is a low-key group of active users to install the X-Wall, pure X, entertainment play, we don't really ha.

Open the text to begin!

First we start the first level, and then construct the next injection environment, that is, after http://127.0.0.1/sqli-labs-master/Less-1/this add inderx.php?id=1, of course, we can also directly add? id=1 because the variable is id = 1, as long as there are variables on the line.

Start adding below.

After the addition, is not the data, then we can start to construct the injection statement.

As a rule, I'll enter and 1=1 after id=1 to determine if it will be displayed correctly.

The result is obvious, the display is correct, then I start to enter and 1=2 for the error test.

The result is not wrong, I began to wonder, I first constructs the next, probably is the SQL statement.

Then I started typing ' this point symbol, let it error, I think.

For I have been playing this, the error of a look, I know the reason is where, but we may not see, then I will change the error symbol, with this to replace '.

We copy the error message into our new text and analyze it.

See here, do not know that you can not see, I first guess, his SQL statement should be like this.

On the back of line 1 This is a verbatim view, we do not analyze this, only to analyze how to inject.

All right, I'm going to split the SQL statement for the error above, so that everyone can read it directly.

I'm pasting a.

Did you see it? Is the argument coerced into a string? We just have to put this ' to the front and back closed, not to be able to query it?

Here, you must think of the comment off the back of the line? Yes, just comment out. But since I often play, I just want to open two methods, one is closed, the other is a comment.

The first one is closed, the second is--the note, by the way, two bars must have a space after the comment effect, but I generally use + to replace the space,--+, such comments.

Okay, let's start testing the first one, and see if it's OK.

And 1=1, the display is correct, then I test and 1=2 again.

OK, as I thought, an error has been made.

Under the test, the annotation method.

and 1=1 show normal, then test and 1=2.

The error is displayed, so this will basically start my SQL injection Dafa!

I'm going to start injecting!!!

First of all to determine the number of fields, I started with the order by this query, the results of 100 have been checked not to error, that means this failure, I can only use the union Select this method to check, I checked a total of 3 fields.

Then I began to make an error, and 1=2 the union Select, prompting it to give an error.

Then start querying the library name, version number, user.

User.

The library name.

The version number.

As is more than 5.0, we can directly query.

I'll start by transcoding the current library name.

It then starts to burst all the table names.

I checked the name of the users and continued to transcode.

Then start exploding all the column names in the table name.

I chose two directly and started to explode the data directly.

The result is nothing, also reported wrong ...

Then I see the error prompt, decisive change the annotation method, comment out the back of the ....

Well, the data was successfully burst.

Ok first off, I pass.

Summarize:

I know my first write is very detailed, but more than 60 light, I am sure it is not finished, I play this in the time of nothing, play, play I will directly write a second post. And if you are a bit unfamiliar with my attack statement below, you can view the SQL injection attack principle analysis of MySQL database under this column for learning.

Address: MySQL Injection chapter

SQLI Labs Series-less-1 detailed article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.