Look for bugs first (for the time being, I know and1=1= 2 is used to judge the plastic type, and single quotation marks are used to judge the string and plastic type).
That's the problem? Id= 1 (number input at will) input? Id= 1 and 1= 1 and input? What changes were found with Id= 1 and 1=2?
At this time, you can try to add single quotation marks to determine whether the character ID = 1' has changed.
What does this mean? Changing from a normal interface to an error interface through single quotation mark injection is a single quotation mark injection vulnerability.
Okay, I found it. Next.
Second, guess the number of fields (I think the number of fields is the number of variables in an sql database, such as (id, name, age, qq number))
It's this thing below.
Why do you guess this thing? You must determine how many variables are in the database to get what you want. Of course, it doesn't matter.
Importantly, this is the basis for the next step. Only when you know the exact number of fields can you use union to operate and get what you want.
Because the fields after joint selection ... must correspond to the fields in the database, that is, suppose you have three fields in the database, but you enter union select 1, 2 (you can try).
You will find that you will report an error. In this problem, you must correspond to three numbers, union select 1, 2, 3, in order to execute successfully, so you need order by to know the number of fields and use it.
Trade unions do things.
Third, get the name of the database.
Then we will talk about how to get the database name, data table name, field name and data information corresponding to the field name through union operation.
Then you must know how to use union.
Here I'll make ID =- 1' first. Why? I think this is actually that you found a SQL injection vulnerability and reported an error. Then you should let it exist in a reasonable form of error reporting and then bring the following SQL statement into SQL execution to get information.
Therefore, it is necessary to take the front of union as the correct error reporting behavior, and add a symbol in id = 1', which starts from 0 by default, which is wrong, or it is also wrong to directly add an and 1=2 after it.
And 1= 1 is impossible, because this is the correct statement, can't be wrong, right? In this way, the union statement can be executed correctly.
Next, use the union select 1, 2,3-++statement.
Why do you want to add a-+after it? This is a comment statement, which means to comment out the back. You'll find something behind here, but you don't need it. Just comment it out.
Then enter to find that 2 and 3 are displayed, which means that 2 and 3 fields can be echoed to the page and can be operated. Then I'll just change the location code of 3.
Before entering the following operations, introduce several functions:
(1)version (): View the database version.
(2)user (): View the current user.
(3)database (): View the database used.
(4) Limit: The limit clause is used to obtain all data in batches.
(5)group_concat (): Get the database information at one time.
View database, version, current user
Enter union select 1, 2, user()-+ and view the user name.
Enter union select 1, 2, database (0-+ depending on the database used (key).
Enter union select 1, 2, version()-+ and check the database version.
Fourth, look up the table
Do you know the name of the database? Why do you want it?
If you want to get a user name and password, you must first understand the database.
It's easy to know. You can look it up.
Enter union select 1, 2, group _ concat (table _ name) from information _ schema. table _ schema =' security'-+
Of course, union select 1, 2, group _ concat (table _ name) in information _ schema can also be used directly. Where table _ schema = database ()-+
Because we only have one database here (if there are other databases, the table names of all databases will be displayed, baby)
I forgot to explain one thing here, and you will find that the string of yellow codes I marked with the first red line in this picture actually includes the code I entered from the URL, which is an echo“$ SQL "
It is convenient to echo to the page and see the code I entered. You can look at the second picture after the picture below.
Ok, keep doing it.
My understanding of this code is that group_concat(table_name) is merged together to display the table name, from information_shchema.tables This is fixed. Literally, it is a form in the infographic database, right? Then there is the where restriction statement, where TABLE _ Schema =' sercurity' only needs to find the database named ser security.
We found all the displayed forms and found the users form, so there should be the user password we want here.
V. Check the field name and field value.
Then enter union select 1 2, group _ concat (column _ name) from information _ schema. Column of table _ name =' users'-+
Of course, you can also directly union select 1, 2, group _ concat (column _ name) from information _ schema. table _ schema = database ()-+
The principle is the same. There are not many forms in this database. Just search directly from the database.
Then I got the field name in the user form and found the user name and password.
Hey, hey, can you find out each value of the following two fields?
Enter union select 1 2, group _ concat (user name, 0x3a, password) from users-+
You can get the password corresponding to each user name (0x3a is the ASCII code corresponding to the character colon':' 16).
Okay, it worked.
Summary:
Step two:
Found SQL injection vulnerability
Use vulnerabilities to obtain relevant information.
Know the code:
Code (plastic, character, Boolean and #,-+comments, etc. ) found the weakness of SQL injection.
Sort by looking up the number segment code.
Use union to get the relevant codes of database name, table name, field name and data value.
More interestingly, sqlmap.py is here, so I won't go into details here. Let me think for myself.
Sqli-labs- Level 1 (Let you pass and let you know why, baby)
Label: Find the first paragraph in detail. This summary is the next important one.