Sqlilabs-1 (breakthrough record)

By default, you have mastered the process , Mainly dredge the points you haven't understood

①：order by: It means to sort , Sort the elements in the database

order by 1: Arrange according to the data in the first column

If there is no specified column, an error will be reported , Therefore, it can be used to report fields , Number of columns

②： About union select 1,2,3: Here, due to the characteristics of the database , a sheet mysql Execute the statement picture to illustrate ：

  therefore , If the corresponding id Make an error query , That is to say, the assignment is -1, The corresponding digital information can be echoed in the corresponding position . As for which numbers are echoed , I think it has something to do with the source code , For example, the source code of this topic , It deals with the corresponding password and username：

 ③： Pay attention when collecting information mysql A database comes with the high version information_schema

At the same time, there are several things to pay attention to ：

Information_schema.columns： A table that records all column name information

Information_schema.tables： A table that records all table name information  

Table_name: Table name

Column_name: Name

Table_schema： Database name

④： By querying the database name, we can construct payload To get more information ：

Query all table names under the specified database ：

Union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=’security’--+

Then query all column names under the specified database ：

Union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’user’--+  ( Notice this quotation mark , Direct assignment and paste are not acceptable )

Derived from column names , Guess the specified column

Union select 1,group_concat(username),group_concat(password) from security.users--+

⑤： Successful entry ！！！