1.首先输入?id=1 and1=1和?id=1 and1=2 ,排除为整型注入

Sqli labs less 3_双引号

Sqli labs less 3_单引号_02

 

 2.输入 ’ and 1=1 – + 和 ’ and 1=2 --+报同样的错,尝试双引号闭合

Sqli labs less 3_双引号_03

 

 Sqli labs less 3_整型_04

 

 3.双引号闭合后1=1 和1=2 均回显正常页面。所以应该是单引号闭合,验证一下单引号闭合是否成功。

Sqli labs less 3_双引号_05

 

 

Sqli labs less 3_整型_06

 

 4.floor()函数,首先构造最简洁的套路语句,and (select 1 from (selcet count(*),concat((),floor(rand(0)*2))x from information_schema.tables group by x)a)

Sqli labs less 3_整型_07