SQL注入之sqli-labs刷题记录


z

正儿八经接触安全一年左右了,一直害怕SQL注入,不敢刷题今天开始持续刷通关

基础知识

查库:	select schema_name from information_schema.schemata;
查表:	select table_name from information_schema.tables where table_schema='security';
查列:	select column_name from information_schema.columns where table_name='users';
查字段:select username,password from security.users;

MySQL注释符

1:--+ 

2:--空格

3:#

目的是为了将mysql后面的语句注释掉不再执行 前面自己添加参数

or and

A and B			True	A跟B必须同时正确返回正确
A or B			True	A跟B有一个正确返回正确

理解limit

SELECT * FROM users WHERE id='1' LIMIT 0,1

limit 0,1; 第一位表示从第几个开始,比如0从第一个开始,而第二位的1代表的的就是显示多少行数据

mysql> SELECT * FROM users LIMIT 2,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  3 | Dummy    | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users LIMIT 3,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  4 | secure   | crappy   |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users LIMIT 0,2;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
+----+----------+------------+
2 rows in set (0.00 sec)

mysql> SELECT * FROM users LIMIT 0,5;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
+----+----------+------------+
5 rows in set (0.00 sec)

mysql>

order by

对某一列进行排序

mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by 1;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by 2;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 14 | admin4   | admin4     |
|  2 | Angelina | I-kill-you |
|  7 | batman   | mob!le     |
| 12 | dhakkan  | dumbo      |
|  1 | Dumb     | Dumb       |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by 3;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 14 | admin4   | admin4     |
|  4 | secure   | crappy     |
|  1 | Dumb     | Dumb       |
| 12 | dhakkan  | dumbo      |
|  6 | superman | genious    |
|  2 | Angelina | I-kill-you |
|  7 | batman   | mob!le     |
|  3 | Dummy    | p@ssword   |
|  5 | stupid   | stupidity  |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by 4;						报错
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql>

通过order by 可以测试出在第几列中报错 从而得出该数据库有几列数据

less-01:

当执行?id=1' order by 4 --+报错?id=1' order by 3 --+时没有报错说明该表有3列数据


文章作者: R1ch029
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 R1ch029 !
  目录